[jboss-jira] [JBoss JIRA] Commented: (EJBTHREE-1738) Security, transaction contexts broken in start() method of @Service beans
Andrew Lee Rubinger (JIRA)
jira-events at lists.jboss.org
Thu Aug 6 01:47:29 EDT 2009
[ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12479168#action_12479168 ]
Andrew Lee Rubinger commented on EJBTHREE-1738:
-----------------------------------------------
Applied Carlo's patch with some modifications to the test. Tomorrow to follow up with integration tests and some fixes for the security context portion of this issue.
> Security, transaction contexts broken in start() method of @Service beans
> -------------------------------------------------------------------------
>
> Key: EJBTHREE-1738
> URL: https://jira.jboss.org/jira/browse/EJBTHREE-1738
> Project: EJB 3.0
> Issue Type: Bug
> Components: core
> Affects Versions: 1.1.1
> Reporter: Jeff Schnitzer
> Assignee: Carlo de Wolf
> Attachments: EJBTHREE-1738.patch
>
>
> The problem surrounds just the start() method (and possibly other lifecycle methods). @RunAs dosn't work, complains that the security context is missing when calling into a method with required permissions. Furthermore, examining the unauthenticated principal shows the principal for the "other" security domain, no matter what is specified as @SecurityDomain. Last of all, there is no transaction context - any attempt to update a database from an EntityManager within the start() method fails with "javax.persistence.TransactionRequiredException: EntityManager must be access within a transaction".
> The original description of this bug follows - it is just one part of the larger problem. It looks like AOP interceptors aren't being applied to the start() methods of service beans, whereas this worked in JBoss 4.
> -----
> The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean.
> Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role:
> @Service(objectName="test:service=Server")
> @SecurityDomain("foo")
> @RolesAllowed("admin")
> public class ServerService implements ServerManagement, Server
> {
> public void serve() {...}
> }
>
> The client tries to call the server:
> @Service(objectName="test:service=Client")
> @SecurityDomain("foo")
> @RunAs("admin")
> public class ClientService implements ClientManagement
> {
> @EJB Server server;
> public void start() { server.serve(); }
> }
>
> This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized". This same code works in 4.2.
> If it will help I can attach a simple test project but since the error occurs on deployment (service start), I don't know how to create a unit test.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list