[
https://issues.jboss.org/browse/WFLY-3469?page=com.atlassian.jira.plugin....
]
Josef Cacek closed WFLY-3469.
-----------------------------
Resolution: Rejected
The {{@RunAs}} annotation is used for assigning *role for outgoing calls*. So in your
example the "student" role is used for calling the second EJB from the Student
class:
{code}
notebook.getCallerPrincipal();
{code}
If you want to set the principal, then use annotation
{{org.jboss.ejb3.annotation.RunAsPrincipal}}
{code}
@RunAsPrincipal("MyPrincipalName")
{code}
I'm closing the bug as rejected. If you think there is still an issue, feel free and
reopen it.
@RunAs - security principal not assigned by default
---------------------------------------------------
Key: WFLY-3469
URL:
https://issues.jboss.org/browse/WFLY-3469
Project: WildFly
Issue Type: Bug
Components: EJB, Security
Affects Versions: 8.1.0.Final
Reporter: Tomas Remes
Assignee: David Lloyd
I would suppose (however I am not sure here) that following method calling
getCallerPrincipal() will return "student" and "notebook" (or at least
student, when calling notebook's principal - in the case below) values and not
"anonymous" value. From EJB spec in 12.3.4.1 Run-as:
{quote}
The Deployer then assigns a security principal defined in the operational environment to
be used as the
principal for the run-as identity. The security principal assigned by the Deployer should
be a principal
that has been assigned to the security role specified by RunAs annotation ...
{quote}
Note that I created ApplicationUsers, which maps to the roles of same name
(student=student, etc. in application-roles.properties)
This could be IMHO somehow enforced. In JSR-250 2.8
javax.annotation.security.RunAs there is:
{quote}
The RunAs annotation defines the role of the application during execution in a Java
EE container. It can be specified on a class. This allows developers to execute an
application under a particular role. The role MUST map to the user / group
information in the container’s security realm.
{quote}
{code}
@Named
@Stateless
@RunAs("student")
@SecurityDomain("other")
@PermitAll
public class Student {
@Resource
private SessionContext context;
@EJB
Notebook notebook;
public String getNotebookPrincipal(){
return notebook.getCallerPrincipal();
}
public String getStudentPrincipal(){
return context.getCallerPrincipal().toString();
}
}
{code}
{code}
@Stateless
@RunAs("notebook")
@SecurityDomain("other")
@RolesAllowed("student")
public class Notebook {
@Resource
private SessionContext context;
public String getCallerPrincipal(){
return context.getCallerPrincipal().toString();
}
{code}
}
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)