[jboss-jira] [JBoss JIRA] (AS7-5075) Local ejb calls are always anonymous

Michael Gronau (JIRA) jira-events at lists.jboss.org
Wed Jun 27 02:52:12 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12703468#comment-12703468 ] 

Michael Gronau commented on AS7-5075:
-------------------------------------

Thats a bit too difficult. But taking a look at the push(...) method in SimpleSecurityManager should help: here we run into these lines of code:

            // If we have a trusted identity no need for a re-auth.
            if (authenticated == false) {
                authenticated = authenticate(current, null);

So, authenticate() is called with no subject as for remote calls as well, but for remote calls a current subject info is created with the user principal of the current remoting user (taken from the connection) and set in the current security context which goes into the authenticate(..) method: 
util.createSubjectInfo(p, credential, subject);. 

Here is the difference. For calls coming from an mbean for example no SubjectInfo is set for the current context before invoking authenticate(current, null).
                
> Local ejb calls are always anonymous
> ------------------------------------
>
>                 Key: AS7-5075
>                 URL: https://issues.jboss.org/browse/AS7-5075
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: EJB
>    Affects Versions: 7.1.2.Final (EAP)
>            Reporter: Michael Gronau
>            Assignee: jaikiran pai
>              Labels: ejb, local, remote
>
> Calling an ejb from within a mbean service for example is always running under 'anonymous' user even with a JAAS login before the invocation.
> Debugging has shown that only a correct security context is created by the SimpleSecurityManager when the call comes from a remote client.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list