Hello,

I use the 4.0.2 version of JBoss AS and try to solve following issue:

I have a public servlet without any security constraints that needs to access secured EJBs. To solve such situation I defined a special security role and added it to the servlet by the <run-as> tag in the web.xml deployment descriptor:

 <servlet>
 <servlet-name>catchit</servlet-name>
 ...
 <run-as>
 <role-name>catchit</role-name>
 </run-as>
 </servlet>

 <security-role>
 <role-name>catchit</role-name>
 </security-role>

The corresponding jboss-web.xml role definition is:

 <security-role>
 <role-name>catchit</role-name>
 <principal-name>catchit</principal-name>
 </security-role>

Following call to the HttpServletRequest method within servlet's code results in false so it seemed that run-as does not work:

request.isUserInRole("catchit) == false
request.getUserPrincipal() == null

Ok, I thought that the role is added only to calls from servlet to the other components (in my case, to the EJB) so I tried to call to SessionContext method within my SessionBean code:

sc.isCallerInRole("catchit")==false
sc.getCallerPrincipal() == SimplePrincipal("anonymous")

but with the same result. The principal is not null any more but again does not have the role "catchit" assigned to the servlet by the run-as tag.

The role "catchit" is defined within the assemby-descriptor of the ejb-jar.xml:

 <assembly-descriptor>
 <security-role>
 <role-name>catchit</role-name>
 </security-role>
 </assembly-descriptor>

My questions are:

1. Is this solution applicable to the situation described at the beggining?
2. If so, what I have done wrong?
3. If not, can you point me to the right way?

4. Maybe the trouble is that the secure EJBs are not protected by the <method-permissions> declarations within the <assembly-descriptor>, but I use some kind of explicit security checks within the EJBs methods code?

Looking forward to your smart advices,

Petr