[jboss-jira] [JBoss JIRA] (WFLY-3469) @RunAs - security principal not assigned by default

Tomas Remes (JIRA) issues at jboss.org
Mon Jun 9 08:50:17 EDT 2014 

Tomas Remes created WFLY-3469:
---------------------------------

             Summary: @RunAs - security principal not assigned by default
                 Key: WFLY-3469
                 URL: https://issues.jboss.org/browse/WFLY-3469
             Project: WildFly
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: EJB, Security
    Affects Versions: 8.1.0.Final
            Reporter: Tomas Remes
            Assignee: David Lloyd


I would suppose (however I am not sure here) that following method calling getCallerPrincipal() will return "student" and "notebook" (or at least student, when calling notebook's principal - in the case below) values and not "anonymous" value. From EJB spec in 12.3.4.1 Run-as:
{quote}
The Deployer then assigns a security principal defined in the operational environment to be used as the
principal for the run-as identity. The security principal assigned by the Deployer should be a principal
that has been assigned to the security role specified by RunAs annotation ...
{quote}
Note that I created ApplicationUsers, which maps to the roles of same name (student=student, etc. in application-roles.properties)
This could be IMHO somehow enforced. In JSR-250 2.8
javax.annotation.security.RunAs there is:
{quote}
The RunAs annotation defines the role of the application during execution in a Java
EE container. It can be specified on a class. This allows developers to execute an
application under a particular role. The role MUST map to the user / group
information in the container’s security realm.
{quote}
{code}
@Named
@Stateless
@RunAs("student")
@SecurityDomain("other")
@PermitAll
public class Student {

    @Resource
    private SessionContext context;

    @EJB
    Notebook notebook;

    public String getNotebookPrincipal(){
        return notebook.getCallerPrincipal();
    }

    public String getStudentPrincipal(){
        return context.getCallerPrincipal().toString();
    }
}
{code}
{code}
@Stateless
@RunAs("notebook")
@SecurityDomain("other")
@RolesAllowed("student")
public class Notebook {

    @Resource
    private SessionContext context;

    public String getCallerPrincipal(){
        return context.getCallerPrincipal().toString();
    }
{code}
}



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)

More information about the jboss-jira mailing list