[jboss-jira] [JBoss JIRA] Created: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity

Timeout method gets called with an unspecified caller identity -------------------------------------------------------------- Key: EJBTHREE-1027 URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027 Project: EJB 3.0 Issue Type: Bug Components: Security Affects Versions: AS 4.2.1.GA Reporter: Carlo de Wolf Having a secured bean with a timeout method with @PermitAll, but without an unauthenticatedIdentity will lead to a 'random' identity being used to call the method or no identity at all. The last one leads to EJBAccessExceptions. Spec 18.2.2: "Since the timeout callback method is an internal method of the bean class, it has no client security context. When getCallerPrincipal is called from within the timeout callback method, it returns the container's representation of the unauthenticated identity." We must disallow all calls to a timeout method if unauthenticatedIdentity is not set. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira