[jboss-dev-forums] [Design of Security on JBoss] - Re: SecurityContext
anil.saldhana@jboss.com
do-not-reply at jboss.com
Wed Mar 21 13:54:50 EDT 2007
Topic: Situation between <use-caller-identity> and <run-as>
| Task: Security Context replacement of SecurityAssociation; SC over the invocation.
|
| I have the following situation with reference to the <security-identity> tag:
|
| [A] -> [B]->[C]
|
| EJB A defines a run-as (P/InternalRole), B defines no run-as but has <use-caller-identity>
|
| Both B and C are accessible only by role "InternalRole".
|
| The situation for me is the call to C. It does not have the "InternalRole" in the security context because it is not part of Subject nor is the callerRunAsIdentity.
|
| I am treating this as a special case as follows:
| At the security checks happening for B, I do:
| =======================
| RunAsIdentity callerRunAsIdentity = getCallerRunAsIdentity(mi);
| /**
| * Special case: if <use-caller-identity> configured and
| * the caller is arriving with a run-as, we need to push that run-as
| */
| if(callerRunAsIdentity != null && this.isUseCallerIdentity)
| this.runAsIdentity = callerRunAsIdentity;
| ...
| pushRunAsIdentity(runAsIdentity);
| ======================================
|
|
Effectively, this has replaced the run-as for B-C call to be the caller's RAI from A to B.
Reference: EJBSpecTest -> testDeepRunAs
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4030331#4030331
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4030331
More information about the jboss-dev-forums
mailing list