[jboss-jira] [JBoss JIRA] Commented: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Thu Aug 23 01:31:18 EDT 2007
[ http://jira.jboss.com/jira/browse/EJBTHREE-1027?page=comments#action_12373442 ]
Anil Saldhana commented on EJBTHREE-1027:
-----------------------------------------
Please look at EJBTHREE-1036 which leads to a security bypass due to ejbTimeOut callback having no security context as per spec. So any call to getCallerPrincipal should return the unauthenticatedIdentity of the security domain that drives the ejb.
EJBTHREE-1036 is done for JBAS5 trunk.
> Timeout method gets called with an unspecified caller identity
> --------------------------------------------------------------
>
> Key: EJBTHREE-1027
> URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
> Project: EJB 3.0
> Issue Type: Bug
> Components: Security
> Affects Versions: AS 4.2.1.GA
> Reporter: Carlo de Wolf
>
> Having a secured bean with a timeout method with @PermitAll, but without an unauthenticatedIdentity will lead to a 'random' identity being used to call the method or no identity at all. The last one leads to EJBAccessExceptions.
> Spec 18.2.2:
> "Since the timeout callback method is an internal method of the bean class, it has no client security context. When getCallerPrincipal is called from within the timeout callback method, it returns the container's representation of the unauthenticated identity."
> We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list