[jboss-jira] [JBoss JIRA] Created: (JBAS-8600) An EJB invocation with runas-identity causes that runas-identity to be used for all invocations of that EJB

Magnus Lind (JIRA) jira-events at lists.jboss.org
Wed Nov 3 09:44:02 EDT 2010 

An EJB invocation with runas-identity causes that runas-identity to be used for all invocations of that EJB
-----------------------------------------------------------------------------------------------------------

                 Key: JBAS-8600
                 URL: https://jira.jboss.org/browse/JBAS-8600
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: EJB2
    Affects Versions: JBossAS-5.1.0.GA
            Reporter: Magnus Lind
            Assignee: Alexey Loubyansky


If a context associated with a runas-identity invokes a method on a (non-runas deployed) stateless session EJB then subsequent invocations from any authenticated context will be performed as if the EJB was runas-deployed using that identity.

Only a restart of the application server will help.

A runas-identity context is usually established within invocations of Servlets or EJBs with runas-deployment. All non-runas deployed EJBs invoked from such a servlet, EJB (or MDB) will be affected.

This behavior is probably caused by a bug in org.jboss.ejb.plugins.SecurityInterceptor. The following patch solves the problem for us:

Index: org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- org/jboss/ejb/plugins/SecurityInterceptor.java	(revision 109035)
+++ org/jboss/ejb/plugins/SecurityInterceptor.java	(arbetskopia)
@@ -248,18 +248,19 @@
          throw e;
       }
 
+      RunAs runAsIdentityToPush = runAsIdentity;
       /**
        * Special case: if <use-caller-identity> configured and
        * the caller is arriving with a run-as, we need to push that run-as
        */
       if (callerRunAsIdentity != null && this.isUseCallerIdentity)
-         this.runAsIdentity = callerRunAsIdentity;
+         runAsIdentityToPush = callerRunAsIdentity;
 
       /* If a run-as role was specified, push it so that any calls made
        by this bean will have the runAsRole available for declarative
        security checks.
       */
-      SecurityActions.pushRunAsIdentity(runAsIdentity);
+      SecurityActions.pushRunAsIdentity(runAsIdentityToPush);
 
       try
       {


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list