[jboss-user] [Security & JAAS/JBoss] - Re: Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB wh

[sappenin]

Ok, so I found various threads (like this one: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=37807 and http://www.jboss.org/index.html?module=bb&op=viewtopic&t=35269).

>From what I can tell, the @RunAs annotation is merely specifying the "role" to use, whereas an MDB that calls a secured SLSB will not have a principal.  The suggestions seem to be, "Just perform a JAAS login before accessing your SLSB, and you'll be ok".

However, something about this isn't sitting right with me.

1.) If the MDB RunAs annotation is merely providing a role, but no principal, shouldn't the "unauthenticated" identity get used, just with the @RunAs role?  This isn't happening, since my unauthenticated identity is "guest" (in login-config.xml), the SecurityAssociation Stack (detailed above) is showing "anonymous" as the principal, and JBAS doesn't care about either....it is simply throwing an IllegalStateException whenever I try to access the principal inside of my SLSB (called from an MDB).  (Error:  java.lang.IllegalStateException: No valid security context for the caller identity).

2.) If I perform a programmatic JAAS login inside of my MDB, but just before calling my SLSB, everything works fine.  However, shouldn't I be able to use the unauthenticated identiy coupled with the RunAs role in this scenario???

Any thoughts?

David

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977677#3977677

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3977677