13 Replies Latest reply on Jun 15, 2011 10:04 AM by Johan Hedin

    @RunAs in JBoss 5 - Caller unauthorized in second call

    K K Newbie

      Hallo,

      I've noticed the following strange behaviour using the @RunAs annotation in a secured STSB.

      I've tried JBoss 5.0.1.GA and 5.1.0.GA.

      Take a look at the following simple scenario: three secured STSBs Caller, A and B. Caller runs as Admin defined by @RunAs("Admin") annotation and uses the role Admin for all method calls on other STSBs, STSB A allowes access only by Admins (realize by @RolesAllowed("Admin") annotation) , the same definition can be found in the STSB B. All STSBs are in the same security domain defined by @SecurityDomain("foo").

      1) Authorized Client calls Caller method (the Client hasn't got the role "Admin")
      2) Caller method calls A method (as a "Admin")
      3) A method calls B method. (I supposed that the "Admin" role is propagated to the second call)

      1) and 2) are ok.
      3) throws "Caller unauthorized" exception.

      Is this a bug or a feature?