[jboss-jira] [JBoss JIRA] Updated: (JBAS-4003) using run-as causes anonymous principal to be propagated across EARs and security domains
Dimitris Andreadis (JIRA)
jira-events at jboss.com
Mon Jan 22 06:49:52 EST 2007
[ http://jira.jboss.com/jira/browse/JBAS-4003?page=all ]
Dimitris Andreadis updated JBAS-4003:
-------------------------------------
Component/s: Security
Assignee: Anil Saldhana
> using run-as causes anonymous principal to be propagated across EARs and security domains
> -----------------------------------------------------------------------------------------
>
> Key: JBAS-4003
> URL: http://jira.jboss.com/jira/browse/JBAS-4003
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.0.5.GA
> Reporter: Michal Borowiecki
> Assigned To: Anil Saldhana
>
> Using run-as causes anonymous principal to be propagated across EARs and security domains.
> I have a MDB in EAR 1 with run-as configured.
> It calls a session bean in the same EAR and the reported identity in the target session bean's method is anonymous, which is OK.
> The session bean then calls another session bean in another EAR which is in a different security-domain.
> A ClientLoginModule is used to authenticate in the other security domain.
> Nevertheless, the target bean sees the caller as anonymous, with the role configured as run-as in EAR1.
> The same code works OK when run-as is removed from configuration.
> I understand that the run-as role with anonymous identity is propagated across subsequent ejb calls, however it should not be propagated when explicit login is used on some other security domain. After all, the whole point of authenticating into a security domain is to establish an identity in that domain. It seems that the newly established identity is ignored in favour of the run-as identity and role propagated from the original security domain.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list