2 Replies Latest reply on Aug 29, 2010 8:42 AM by Kobi Ianko

    servlet run-as role

    Petr Matousek Newbie

      Hello,

      I use the 4.0.2 version of JBoss AS and try to solve following issue:

      I have a public servlet without any security constraints that needs to access secured EJBs. To solve such situation I defined a special security role and added it to the servlet by the <run-as> tag in the web.xml deployment descriptor:

       <servlet>
       <servlet-name>catchit</servlet-name>
       ...
       <run-as>
       <role-name>catchit</role-name>
       </run-as>
       </servlet>
      
       <security-role>
       <role-name>catchit</role-name>
       </security-role>
      


      The corresponding jboss-web.xml role definition is:
       <security-role>
       <role-name>catchit</role-name>
       <principal-name>catchit</principal-name>
       </security-role>
      


      Following call to the HttpServletRequest method within servlet's code results in false so it seemed that run-as does not work:
      request.isUserInRole("catchit) == false
      request.getUserPrincipal() == null
      


      Ok, I thought that the role is added only to calls from servlet to the other components (in my case, to the EJB) so I tried to call to SessionContext method within my SessionBean code:
      sc.isCallerInRole("catchit")==false
      sc.getCallerPrincipal() == SimplePrincipal("anonymous")
      

      but with the same result. The principal is not null any more but again does not have the role "catchit" assigned to the servlet by the run-as tag.

      The role "catchit" is defined within the assemby-descriptor of the ejb-jar.xml:
       <assembly-descriptor>
       <security-role>
       <role-name>catchit</role-name>
       </security-role>
       </assembly-descriptor>
      


      My questions are:

      1. Is this solution applicable to the situation described at the beggining?
      2. If so, what I have done wrong?
      3. If not, can you point me to the right way?

      4. Maybe the trouble is that the secure EJBs are not protected by the <method-permissions> declarations within the <assembly-descriptor>, but I use some kind of explicit security checks within the EJBs methods code?

      Looking forward to your smart advices,

      Petr