[jboss-jira] [JBoss JIRA] (WFLY-2654) The run-as identity does NOT apply to the timeout callback method of an enterprise bean

Tomasz Adamski (JIRA) issues at jboss.org
Fri Apr 4 14:56:13 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-2654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12959420#comment-12959420 ] 

Tomasz Adamski edited comment on WFLY-2654 at 4/4/14 2:55 PM:
--------------------------------------------------------------

Only timeout methods in beans with explicitly declared security domain were classified as secured. As a result of that interceptors that are required to correctly authorize were not added. I fixed checking function so it works the same as in other views.
                
      was (Author: tomekadamski):
    Only timeout methods in beans with explicitly declared security domain were classified as secured. As a result of that interceptors that are required to correctly authorize were not added. I fixed checking function so it works the same as in other type of views.
                  
> The run-as identity does NOT apply to the timeout callback method of an enterprise bean
> ---------------------------------------------------------------------------------------
>
>                 Key: WFLY-2654
>                 URL: https://issues.jboss.org/browse/WFLY-2654
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: EJB, Security
>    Affects Versions: 8.0.0.Beta1
>            Reporter: Matus Abaffy
>            Assignee: Tomasz Adamski
>
> EJB 3.2 spec., 12.3.4.1 Run-as:
> bq. The run-as identity applies ... to the timeout callback methods of an enterprise bean;
> Assume the following classes:
> {code}
> @Stateless
> @RunAs("alarm")
> public class Alarm {
>     @EJB
>     private Bell bell;
> // some more logic
>     @Timeout
>     public void ejbTimeout(Timer timer) {
>         bell.ring();
>     }
> }
> {code}
> {code}
> @Stateless
> @RolesAllowed("alarm")
> public class Bell {
>     public void ring() {}
> }
> {code}
> When the Alarm's timeout callback method is invoked due to timer expiration, bell.ring(); results in
> {code}ERROR [org.jboss.as.ejb3.invocation] (EJB default - 1) JBAS014134: EJB Invocation failed on component Bell for method public void org.jboss.as.test.integration.ejb.security.timeout.Bell.ring(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.timeout.Bell.ring() of bean: Bell is not allowed {code}
> Calling bell.ring(); from Alarm's business methods works as expected (no error).
> Simple test case available at: https://github.com/bafco/wildfly/tree/timeoutSecurity

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list