[jboss-jira] [JBoss JIRA] Commented: (JBAS-4003) using run-as causes anonymous principal to be propagated across EARs and security domains

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Mar 15 12:12:38 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBAS-4003?page=comments#action_12356221 ] 
            
Anil Saldhana commented on JBAS-4003:
-------------------------------------

Is it possible to get a test case showing your current issue?

> using run-as causes anonymous principal to be propagated across EARs and security domains
> -----------------------------------------------------------------------------------------
>
>                 Key: JBAS-4003
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4003
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.5.GA
>            Reporter: Michal Borowiecki
>         Assigned To: Anil Saldhana
>
> Using run-as causes anonymous principal to be propagated across EARs and security domains.
> I have a MDB in EAR 1 with run-as configured.
> It calls a session bean in the same EAR and the reported identity in the target session bean's method is anonymous, which is OK.
> The session bean then calls another session bean in another EAR which is in a different security-domain.
> A ClientLoginModule is used to authenticate in the other security domain.
> Nevertheless, the target bean sees the caller as anonymous, with the role configured as run-as in EAR1.
> The same code works OK when run-as is removed from configuration.
> I understand that the run-as role with anonymous identity is propagated across subsequent ejb calls, however it should not be propagated when explicit login is used on some other security domain. After all, the whole point of authenticating into a security domain is to establish an identity in that domain. It seems that the newly established identity is ignored in favour of the run-as identity and role propagated from the original security domain.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list