[ https://jira.jboss.org/jira/browse/JBAS-7053?page=com.atlassian.jira.plug... ] Jesus Menendez updated JBAS-7053: --------------------------------- Description: I configured two EJBs to make use of the run-as security identity tag The EJBS implement a class called AgentBean When I use PolicyContext.getContext("javax.security.auth.Subject.container") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler I saw this method call in lines 55 and 73 RunAsIdentity callerRunAsIdentity = (RunAsIdentity) SecurityAssociation.peekRunAsIdentity(1); What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack I patched Jboss with this modification and the PolicyContext.getContext("javax.security.auth.Subject.container") started returning the right values So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it? Connfiguration of EJB is ejb-jar.xml <?xml version="1.0" encoding="UTF-8"?> <ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"> <enterprise-beans> <session> <ejb-name>editors</ejb-name> <mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name> <business-local>com.assethouse.goya.process.agent.Agent</business-local> <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class> <session-type>Stateless</session-type> <timeout-method> <method-name>startTask</method-name> </timeout-method> <security-identity> <run-as> <description>Group for editors Partition</description> <role-name>editors</role-name> </run-as> </security-identity> </session> <session> <ejb-name>publishers</ejb-name> <mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name> <business-local>com.assethouse.goya.process.agent.Agent</business-local> <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class> <session-type>Stateless</session-type> <timeout-method> <method-name>startTask</method-name> </timeout-method> <security-identity> <run-as> <description>Group for publishers Partition</description> <role-name>publishers</role-name> </run-as> </security-identity> </session> </enterprise-beans> <assembly-descriptor> <security-role> <role-name>editors</role-name> </security-role> <security-role> <role-name>publisher</role-name> </security-role> </assembly-descriptor> </ejb-jar> jboss.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4_2//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd"> <jboss> <security-domain>java:/jaas/process</security-domain> <enterprise-beans> <session> <ejb-name>editors</ejb-name> <security-identity> <run-as-principal>editor</run-as-principal> </security-identity> </session> <session> <ejb-name>publishers</ejb-name> <security-identity> <run-as-principal>publisher</run-as-principal> </security-identity> </session> </enterprise-beans> <assembly-descriptor> <security-role> <role-name>publishers</role-name> <principal-name>publisher</principal-name> </security-role> <security-role> <role-name>editors</role-name> <principal-name>editor</principal-name> </security-role> </assembly-descriptor> </jboss> Also configured the login-module with a new security domain with an UserRoleLoginModule plugin roles.properties publisher=publishers editor=editors user.properties publisher=password editor=password was: I configured two EJBs to make use of the run-as security identity tag The EJBS implement a class called AgentBean When I use PolicyContext.getContext("javax.security.auth.Subject.container") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler I saw this method call in lines 55 and 73 RunAsIdentity callerRunAsIdentity = (RunAsIdentity) SecurityAssociation.peekRunAsIdentity(1); What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack I patched Jboss with this modification and the PolicyContext.getContext("javax.security.auth.Subject.container") started returning the right values (editors and publishers) So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it? Connfiguration of EJB is ejb-jar.xml <?xml version="1.0" encoding="UTF-8"?> <ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"> <enterprise-beans> <session> <ejb-name>editors</ejb-name> <mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name> <business-local>com.assethouse.goya.process.agent.Agent</business-local> <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class> <session-type>Stateless</session-type> <timeout-method> <method-name>startTask</method-name> </timeout-method> <security-identity> <run-as> <description>Group for editors Partition</description> <role-name>editors</role-name> </run-as> </security-identity> </session> <session> <ejb-name>publishers</ejb-name> <mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name> <business-local>com.assethouse.goya.process.agent.Agent</business-local> <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class> <session-type>Stateless</session-type> <timeout-method> <method-name>startTask</method-name> </timeout-method> <security-identity> <run-as> <description>Group for publishers Partition</description> <role-name>publishers</role-name> </run-as> </security-identity> </session> </enterprise-beans> <assembly-descriptor> <security-role> <role-name>editors</role-name> </security-role> <security-role> <role-name>publisher</role-name> </security-role> </assembly-descriptor> </ejb-jar> jboss.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4_2//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd"> <jboss> <security-domain>java:/jaas/process</security-domain> <enterprise-beans> <session> <ejb-name>editors</ejb-name> <security-identity> <run-as-principal>editor</run-as-principal> </security-identity> </session> <session> <ejb-name>publishers</ejb-name> <security-identity> <run-as-principal>publisher</run-as-principal> </security-identity> </session> </enterprise-beans> <assembly-descriptor> <security-role> <role-name>publishers</role-name> <principal-name>publisher</principal-name> </security-role> <security-role> <role-name>editors</role-name> <principal-name>editor</principal-name> </security-role> </assembly-descriptor> </jboss> Also configured the login-module with a new security domain with an UserRoleLoginModule plugin roles.properties publisher=publishers editor=editors user.properties publisher=password editor=password -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira