[jboss-jira] [JBoss JIRA] (WFLY-3469) @RunAs - security principal not assigned by default

Josef Cacek (JIRA) issues at jboss.org
Mon Sep 8 05:25:00 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josef Cacek closed WFLY-3469.
-----------------------------
    Resolution: Rejected


The {{@RunAs}} annotation is used for assigning *role for outgoing calls*. So in your example the "student" role is used for calling the second EJB from the Student class:
{code}
notebook.getCallerPrincipal();
{code}

If you want to set the principal, then use annotation {{org.jboss.ejb3.annotation.RunAsPrincipal}}

{code}
@RunAsPrincipal("MyPrincipalName")
{code}

I'm closing the bug as rejected. If you think there is still an issue, feel free and reopen it.

> @RunAs - security principal not assigned by default
> ---------------------------------------------------
>
>                 Key: WFLY-3469
>                 URL: https://issues.jboss.org/browse/WFLY-3469
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, Security
>    Affects Versions: 8.1.0.Final
>            Reporter: Tomas Remes
>            Assignee: David Lloyd
>
> I would suppose (however I am not sure here) that following method calling getCallerPrincipal() will return "student" and "notebook" (or at least student, when calling notebook's principal - in the case below) values and not "anonymous" value. From EJB spec in 12.3.4.1 Run-as:
> {quote}
> The Deployer then assigns a security principal defined in the operational environment to be used as the
> principal for the run-as identity. The security principal assigned by the Deployer should be a principal
> that has been assigned to the security role specified by RunAs annotation ...
> {quote}
> Note that I created ApplicationUsers, which maps to the roles of same name (student=student, etc. in application-roles.properties)
> This could be IMHO somehow enforced. In JSR-250 2.8
> javax.annotation.security.RunAs there is:
> {quote}
> The RunAs annotation defines the role of the application during execution in a Java
> EE container. It can be specified on a class. This allows developers to execute an
> application under a particular role. The role MUST map to the user / group
> information in the container’s security realm.
> {quote}
> {code}
> @Named
> @Stateless
> @RunAs("student")
> @SecurityDomain("other")
> @PermitAll
> public class Student {
>     @Resource
>     private SessionContext context;
>     @EJB
>     Notebook notebook;
>     public String getNotebookPrincipal(){
>         return notebook.getCallerPrincipal();
>     }
>     public String getStudentPrincipal(){
>         return context.getCallerPrincipal().toString();
>     }
> }
> {code}
> {code}
> @Stateless
> @RunAs("notebook")
> @SecurityDomain("other")
> @RolesAllowed("student")
> public class Notebook {
>     @Resource
>     private SessionContext context;
>     public String getCallerPrincipal(){
>         return context.getCallerPrincipal().toString();
>     }
> {code}
> }



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list