[jboss-user] [Security & JAAS/JBoss] - Re: Calling protected ejb method from anoter

[drfranknfurter]

It seems I spoke a bit hastily.

Although initial tests indicated that this should work, I can't get it to work. I think I misunderstood.

Here is my scenario:

Web tier calls EJB1 method which is protected. The user has the required role and all is well. EJB1 calls EJB2 which requires a different role. So I annotated EJB1 with @RunAs specifying the role required by EJB2. 

Unfortunately @RunAs only allows 1 role. This is not sufficient if EJB1 calls various other EJBs protected with various roles. What I tried to do to get around this was create a role, not ever assigned to a user, for this purpose specifically. 
@RunAs would always use this role and methods that are called from the Web tier AND the EJB tier gets this role added to its @RolesAllowed (in addition to the existing role required). 
Sounded like a good idea at the time... except for that it does not work.

Even if the user has the original role required for the method call it fails. Which makes sense since the only role used to call the EJB is now the one specified with @RunAs, what I don't get is why is it not matching? I have the @RunAs role added to the @RolesAllowed?

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4211699#4211699

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4211699