[ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.... ] Jeff Schnitzer updated EJBTHREE-1738: ------------------------------------- Summary: Security, transaction contexts broken in start() method of @Service beans (was: @RunAs no longer works on @Service beans) Description: The problem surrounds just the start() method (and possibly other lifecycle methods). @RunAs dosn't work, complains that the security context is missing when calling into a method with required permissions. Furthermore, examining the unauthenticated principal shows the principal for the "other" security domain, no matter what is specified as @SecurityDomain. Last of all, there is no transaction context - any attempt to update a database from an EntityManager within the start() method fails with "javax.persistence.TransactionRequiredException: EntityManager must be access within a transaction". The original description of this bug follows - it is just one part of the larger problem. It looks like AOP interceptors aren't being applied to the start() methods of service beans, whereas this worked in JBoss 4. ----- The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean. Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role: @Service(objectName="test:service=Server") @SecurityDomain("foo") @RolesAllowed("admin") public class ServerService implements ServerManagement, Server { public void serve() {...} } The client tries to call the server: @Service(objectName="test:service=Client") @SecurityDomain("foo") @RunAs("admin") public class ClientService implements ClientManagement { @EJB Server server; public void start() { server.serve(); } } This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized". This same code works in 4.2. If it will help I can attach a simple test project but since the error occurs on deployment (service start), I don't know how to create a unit test. was: The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean. Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role: @Service(objectName="test:service=Server") @SecurityDomain("foo") @RolesAllowed("admin") public class ServerService implements ServerManagement, Server { public void serve() {...} } The client tries to call the server: @Service(objectName="test:service=Client") @SecurityDomain("foo") @RunAs("admin") public class ClientService implements ClientManagement { @EJB Server server; public void start() { server.serve(); } } This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized". This same code works in 4.2. If it will help I can attach a simple test project but since the error occurs on deployment (service start), I don't know how to create a unit test. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.... ] Jon Stevens commented on EJBTHREE-1738: --------------------------------------- Use the non-https and you won't get asked for a username/password. http://scratchmonkey.googlecode.com/svn/jboss5/basic/ -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.... ] Andrew Lee Rubinger commented on EJBTHREE-1738: ----------------------------------------------- Applied Carlo's patch with some modifications to the test. Tomorrow to follow up with integration tests and some fixes for the security context portion of this issue. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.... ] Andrew Lee Rubinger commented on EJBTHREE-1738: ----------------------------------------------- Patch, though working in unit test, results in integration problems as LifecycleCallbackStack is not overridden but instead defined twice: Deployment "vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/ejb3-interceptors-aop.xml" is in error due to the following reason(s): java.lang.IllegalStateException: LifecycleCallbackStack is already installed. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira