[jboss-jira] [JBoss JIRA] Commented: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Tue Feb 10 15:52:44 EST 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12452040#action_12452040 ] 

Anil Saldhana commented on JBAS-3945:
-------------------------------------

The EJB2/3 specification talk about run-as in terms of roles that are propagated between two components.  If you need a different principal to be associated for a run-as, it needs to be specified in a vendor descriptor. In the case of JBoss, it has to be jboss.xml

Look at the ejb-jar.xml

=======================
<enterprise-beans>
    <session>
      <description>session 1</description>
      <ejb-name>Session1</ejb-name>
      <home>org.runAsError.test.Session1Home</home>
      <remote>org.runAsError.test.Session1</remote>
      <ejb-class>org.runAsError.test.SessionBean1</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <ejb-ref>
        <ejb-ref-name>ejb/Session2</ejb-ref-name>
        <ejb-ref-type>Session</ejb-ref-type>
        <home>org.runAsError.test.Session2Home</home>
        <remote>org.runAsError.test.Session2</remote>
        <ejb-link>Session2</ejb-link>
      </ejb-ref>
      <security-role-ref>
        <role-name>tester</role-name>
        <role-link>tester</role-link>
      </security-role-ref>
      <security-identity>
        <run-as>
          <role-name>internal</role-name>
        </run-as>
      </security-identity>
    </session>
===============================================================

Here you are specifying a role "internal" to be used as the propagated run-as role to session bean 2.
Now JBoss will use an anonymous principal to propagate along to provide the getCallerPrincipal
contract at the other end even though, the deciding aspect for session bean2 access control
was the role "internal".  

If you need a different principal other than "anonymous", then you need to specify it in jboss.xml
 
  <session>
      <ejb-name>Session1</ejb-name>
      <jndi-name>runAsError/Session1</jndi-name>
     <security-identity>
        <run-as-principal>MyNewPrincipalForRunAs</run-as-principal>
      </security-identity>
   </session>



> RunAs Causes Unexpected Principal Propagation Switch
> ----------------------------------------------------
>
>                 Key: JBAS-3945
>                 URL: https://jira.jboss.org/jira/browse/JBAS-3945
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.5.GA
>         Environment: JBoss 4.0.5.GA
> JSE 1.5.0_09
>            Reporter: Stefan Schulze
>            Assignee: Peter Skopek
>         Attachments: runAsError.zip
>
>
> My application is using JAAS authentication on web and ejb side. An authenticated user calls a stateless session bean from the web application which uses 'runAs' to change security role and calls a second stateless session bean. The second bean recuperates an 'anonymous' principal but it should be the authenticated user. This does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
> Test case:
> I try to attach my test case (where can I attach it ???) which boils down the problem.
> To run it, please
> - unzip the file (runAsError.zip)
> - you can import the content as a project in Eclipse if you prefer
> - change the 'jboss.dist' property in the 'ant.properties' file to your jBoss 4.0.5.GA installation
> - run the 'install' target of 'build.xml' which creates a  new jboss container called 'runAsError'
> - start the 'runAsError' container (run -c runAsError)
> - run the 'test' target of 'build.xml'
> What happens:
> Standalone client calls Session1.hello() with caller principal 'max' . Session1 calls Session2.hello2() using runAs 'internal'. Session2 should get caller principal 'max' but gets 'anonymous'. See Exception that is thrown in SessionBean2.hello2().
> It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I run the JBAS-1852 test and it seemed to work (I had some troubles with the DatabaseServerLoginModule that were probably related to my incompetence ;-).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list