InstanceInterceptors need to set SecurityContext on EnterpriseContext from Threadlocal -------------------------------------------------------------------------------------- Key: JBAS-5066 URL: http://jira.jboss.com/jira/browse/JBAS-5066 Project: JBoss Application Server Issue Type: Bug Security Level: Public (Everyone can see) Components: EJB2, Security Affects Versions: JBossAS-5.0.0.Beta2 Reporter: Anil Saldhana Assigned To: Anil Saldhana Fix For: JBossAS-5.0.0.Beta3 Currently, the StatelessInstanceInterceptor is doing ctx.setSecurityContext(mi.getSecurityContext()); which leads to an error in the audit log (Note: CLIENT_PROXY) as: -------------------------------------------- 2007-12-09 08:06:25,734 TRACE [org.jboss.security.audit.providers.LogAuditProvid er] (WorkerThread#0[127.0.0.1:1180]:) [Error]roleRefPermissionCheck=true;authori zationManager=[AuthorizationManager:class=org.jboss.security.plugins.JBossAuthor izationManager:CLIENT_PROXY:];roleName=InternalRole;Resource:=[org.jboss.securit y.authorization.resources.EJBResource:contextMap={roleRefPermissionCheck=true, r oleName=InternalRole, authorizationManager=[AuthorizationManager:class=org.jboss .security.plugins.JBossAuthorizationManager:CLIENT_PROXY:]}:method=null:ejbMetho dInterface=null:ejbName=Entity:ejbPrincipal=scott:methodRoles=null:securityRoleR eferences=[]];Source=org.jboss.security.integration.ejb.EJBAuthorizationHelper;E xception:=Authorization Failed: ; ------------------------------------------------------------ what needs to be done is: ctx.setSecurityContext(SecurityActions.getSecurityContext()); For StatefulInstanceInterceptor which gets invoked before SecurityInterceptor, create a new sec ctx based on the container settings. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira