[jboss-jira] [JBoss JIRA] Commented: (EJBTHREE-1738) Security, transaction contexts broken in start() method of @Service beans

Jon Stevens (JIRA) jira-events at lists.jboss.org
Wed May 13 20:02:46 EDT 2009 

    [ https://jira.jboss.org/jira/browse/EJBTHREE-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12467400#action_12467400 ] 

Jon Stevens commented on EJBTHREE-1738:
---------------------------------------

Use the non-https and you won't get asked for a username/password.

http://scratchmonkey.googlecode.com/svn/jboss5/basic/

> Security, transaction contexts broken in start() method of @Service beans
> -------------------------------------------------------------------------
>
>                 Key: EJBTHREE-1738
>                 URL: https://jira.jboss.org/jira/browse/EJBTHREE-1738
>             Project: EJB 3.0
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.1.1
>            Reporter: Jeff Schnitzer
>            Assignee: Carlo de Wolf
>
> The problem surrounds just the start() method (and possibly other lifecycle methods).   @RunAs dosn't work, complains that the security context is missing when calling into a method with required permissions.  Furthermore, examining the unauthenticated principal shows the principal for the "other" security domain, no matter what is specified as @SecurityDomain.  Last of all, there is no transaction context - any attempt to update a database from an EntityManager within the start() method fails with "javax.persistence.TransactionRequiredException: EntityManager must be access within a transaction".
> The original description of this bug follows - it is just one part of the larger problem.  It looks like AOP interceptors aren't being applied to the start() methods of service beans, whereas this worked in JBoss 4.
> -----
> The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean. 
> Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role: 
> @Service(objectName="test:service=Server")
> @SecurityDomain("foo")
> @RolesAllowed("admin")
> public class ServerService implements ServerManagement, Server
> {
>   public void serve() {...}
> }
> 	
> The client tries to call the server: 
> @Service(objectName="test:service=Client")
> @SecurityDomain("foo")
> @RunAs("admin")
> public class ClientService implements ClientManagement
> {
>   @EJB Server server;
>   public void start() { server.serve(); }
> }
> 	
> This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized".   This same code works in 4.2.  
> If it will help I can attach a simple test project but since the error occurs on deployment (service start), I don't know how to create a unit test.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list