5 Replies Latest reply on Mar 12, 2007 1:51 PM by Anil Saldanha

    Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB which

    sappenin Novice

      I am running JBAS 4.0.4GA_Patch1. I have an annotated EJB3 MDB, with the following annotations:

      @SecurityDomain("myRealm")
      @RunAs("system")
      @RolesAllowed( {
       "admin", "system"
      })
      


      Inside of my MDB, I am calling a function on a SLSB (called "UserBean"). Inside of my SLSB UserBean, I execute the following call (notice the injected SessionContext):

      @Resource SessionContext context;
      
      public someFunc(..)
      {
      Principal p = this.context.getCallerPrincipal();
      }
      


      Now, this SLSB call works just fine if I access the SLSB from, say, a web-services call (I get the proper principal returned). However, when I call it from an MDB, I get the following exception: "java.lang.IllegalStateException: No valid security context for the caller identity".

      After doing a bit of digging, I noticed that inside of the SecurityAssociation class, the peekRunAsIdentity() function is being called with a depth of 1. Inside of peekRunAsIdentity, the peek() function is trying to determine a valid "runas" role. If I debug this, I can see the correct "system" role in the stack (ArrayList) object, complete with an "anonymous" principal name. However, the depth always gets set to -1 inside of the peek function, and so the "RunAs" role is ignored. The peek() function (incorrectly) assumes that the principal is null, and throws an IllegalStateException.

      Something seems amiss here...like I said, my code works fine, so long as its not invoked from an MDB. Can anybody comment on this?

      Thanks!

      David