<run-as> refers to the authorities.
You still need an authentication.
Just create a user with no roles for the unauthenicated
identity - that way if somebody uses that identity
for authentication they won't be authorised to do anything.
The MDB is ok because it is using the <run-as> authorities.
Like other people who have posted questions on this topic, I'm attempting to have my MDB call a session EJB that has a security constraint. I specify the run-as, but that did not permit me to interact with the session bean - it would not be authorized as the principal is null.
After reading messages in the JBoss forums, I added an unauthenticated identity, with a user that had no roles. This did not correct the problem, the principal remained null. After further searching, I found a code snippet that did a JAAS login in the MDB onMessage() method. I logged in as my guest user and was finally able to invoke my session bean's methods.
I don't believe I'm doing this correctly, although I managed to make it work. Is all this strictly necessary, or is there a more simple way to achieve this?
Thanks for your help,
Your problem is a security configuration issue not an mdb
Your unauthenticated identity is not configured correctly if it still
complaining about a null principal.