[ https://issues.jboss.org/browse/WFLY-2847?page=com.atlassian.jira.plugin.... ] Matus Abaffy updated WFLY-2847: ------------------------------- Description: 3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in {{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}} Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too. According to EJB spec, 12 Security management, 12.1 Overview: bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4." 12.3.4 Specification of Security Identities in the Deployment Descriptor: bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used." etc. {code} @Stateless @RunAs("printer") @PermitAll public class Printer { @EJB HelperBean hb; public void invokeHelperBean() { hb.invokeToner(); } } {code} {code} @Stateful public class HelperBean { @EJB Toner toner; public void invokeToner() { toner.spill(); } } {code} {code} @Stateless @RolesAllowed("printer") public class Toner { public void spill() {} } {code} A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext was: 3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in {{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}} Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too. According to EJB spec, 12 Security management, 12.1 Overview: bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4." 12.3.4 Specification of Security Identities in the Deployment Descriptor: bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used." etc. {code} @RunAs("printer") @PermitAll public class Printer { @EJB HelperBean hb; public void invokeHelperBean() { hb.invokeToner(); } } {code} {code} @Stateful public class HelperBean { @EJB Toner toner; public void invokeToner() { toner.spill(); } } {code} {code} @Stateless @RolesAllowed("printer") public class Toner { public void spill() {} } {code} A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira