[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
Michael Gronau commented on AS7-5075:
-------------------------------------
Thats a bit too difficult. But taking a look at the push(...) method in
SimpleSecurityManager should help: here we run into these lines of code:
// If we have a trusted identity no need for a re-auth.
if (authenticated == false) {
authenticated = authenticate(current, null);
So, authenticate() is called with no subject as for remote calls as well, but for remote
calls a current subject info is created with the user principal of the current remoting
user (taken from the connection) and set in the current security context which goes into
the authenticate(..) method:
util.createSubjectInfo(p, credential, subject);.
Here is the difference. For calls coming from an mbean for example no SubjectInfo is set
for the current context before invoking authenticate(current, null).
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL:
https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira