[jboss-jira] [JBoss JIRA] Created: (JBAS-4003) using run-as causes anonymous principal to be propagated across EARs and security domains

Mon Jan 22 06:17:58 EST 2007

using run-as causes anonymous principal to be propagated across EARs and security domains
-----------------------------------------------------------------------------------------

                 Key: JBAS-4003
                 URL: http://jira.jboss.com/jira/browse/JBAS-4003
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: JBossAS-4.0.5.GA
            Reporter: Michal Borowiecki

Using run-as causes anonymous principal to be propagated across EARs and security domains.

I have a MDB in EAR 1 with run-as configured.

It calls a session bean in the same EAR and the reported identity in the target session bean's method is anonymous, which is OK.

The session bean then calls another session bean in another EAR which is in a different security-domain.

A ClientLoginModule is used to authenticate in the other security domain.

Nevertheless, the target bean sees the caller as anonymous, with the role configured as run-as in EAR1.

The same code works OK when run-as is removed from configuration.

I understand that the run-as role with anonymous identity is propagated across subsequent ejb calls, however it should not be propagated when explicit login is used on some other security domain. After all, the whole point of authenticating into a security domain is to establish an identity in that domain. It seems that the newly established identity is ignored in favour of the run-as identity and role propagated from the original security domain.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira