[jboss-jira] [JBoss JIRA] Commented: (EJBTHREE-1738) Security, transaction contexts broken in start() method of @Service beans

Thu Aug 6 22:43:41 EDT 2009

    [ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12479413#action_12479413 ] 

Andrew Lee Rubinger commented on EJBTHREE-1738:
-----------------------------------------------

Patch, though working in unit test, results in integration problems as LifecycleCallbackStack is not overridden but instead defined twice:

 Deployment "vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/ejb3-interceptors-aop.xml" is in error due to the following reason(s): java.lang.IllegalStateException: LifecycleCallbackStack is already installed.

> Security, transaction contexts broken in start() method of @Service beans
> -------------------------------------------------------------------------
>
>                 Key: EJBTHREE-1738
>                 URL: https://jira.jboss.org/jira/browse/EJBTHREE-1738
>             Project: EJB 3.0
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.1.1
>            Reporter: Jeff Schnitzer
>            Assignee: Andrew Lee Rubinger
>         Attachments: EJBTHREE-1738.patch
>
>
> The problem surrounds just the start() method (and possibly other lifecycle methods).   @RunAs dosn't work, complains that the security context is missing when calling into a method with required permissions.  Furthermore, examining the unauthenticated principal shows the principal for the "other" security domain, no matter what is specified as @SecurityDomain.  Last of all, there is no transaction context - any attempt to update a database from an EntityManager within the start() method fails with "javax.persistence.TransactionRequiredException: EntityManager must be access within a transaction".
> The original description of this bug follows - it is just one part of the larger problem.  It looks like AOP interceptors aren't being applied to the start() methods of service beans, whereas this worked in JBoss 4.
> -----
> The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean. 
> Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role: 
> @Service(objectName="test:service=Server")
> @SecurityDomain("foo")
> @RolesAllowed("admin")
> public class ServerService implements ServerManagement, Server
> {
>   public void serve() {...}
> }
> 	
> The client tries to call the server: 
> @Service(objectName="test:service=Client")
> @SecurityDomain("foo")
> @RunAs("admin")
> public class ClientService implements ClientManagement
> {
>   @EJB Server server;
>   public void start() { server.serve(); }
> }
> 	
> This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized".   This same code works in 4.2.  
> If it will help I can attach a simple test project but since the error occurs on deployment (service start), I don't know how to create a unit test.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira