[jboss-jira] [JBoss JIRA] Created: (JBAS-3781) Stateful SB Instance Interceptor should not push SubjectContext if RunAsIdentity present

Anil Saldhana (JIRA) jira-events at jboss.com
Tue Oct 24 00:39:41 EDT 2006 

Stateful SB Instance Interceptor should not push SubjectContext if RunAsIdentity present
----------------------------------------------------------------------------------------

                 Key: JBAS-3781
                 URL: http://jira.jboss.com/jira/browse/JBAS-3781
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: EJB2
    Affects Versions: JBossAS-4.0.5.GA, JBossAS-3.2.8.SP1, JBossAS-5.0.0.Beta
            Reporter: Anil Saldhana
         Assigned To: Anil Saldhana
             Fix For: JBossAS-5.0.0.Beta, JBossAS-3.2.8.SP2, JBossAS-4.0.6.CR1


The following Subject Context push (with null Subject) to establish client security context should not be performed if the user has configured a RunAsIdentity in the caller bean.

/* The security context must be established before the cache
         lookup because the activation of a session should have the caller's
         security context as ejbActivate is allowed to call other secured
         resources. Since the pm makes the ejbActivate call, we need to
         set the caller's security context. The only reason this shows up for
         stateful session is that we moved the SecurityInterceptor to after
         the instance interceptor to allow security exceptions to result in
         invalidation of the session. This may be too literal an interpretation
         of the ejb spec requirement that runtime exceptions should invalidate
         the session.
          */
        SecurityActions.pushSubjectContext(mi.getPrincipal(), mi.getCredential(), null);


The resolution is: 
         if(SecurityActions.peekRunAsIdentity() == null)
            SecurityActions.pushSubjectContext(mi.getPrincipal(), mi.getCredential(), null);


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list