[jboss-jira] [JBoss JIRA] Created: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
Carlo de Wolf (JIRA)
jira-events at lists.jboss.org
Wed Aug 8 05:57:31 EDT 2007
Timeout method gets called with an unspecified caller identity
--------------------------------------------------------------
Key: EJBTHREE-1027
URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: AS 4.2.1.GA
Reporter: Carlo de Wolf
Having a secured bean with a timeout method with @PermitAll, but without an unauthenticatedIdentity will lead to a 'random' identity being used to call the method or no identity at all. The last one leads to EJBAccessExceptions.
Spec 18.2.2:
"Since the timeout callback method is an internal method of the bean class, it has no client security context. When getCallerPrincipal is called from within the timeout callback method, it returns the container's representation of the unauthenticated identity."
We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list