[jboss-user] [Security & JAAS/JBoss] - ejbStore Running with Incorrect Security Identity
do-not-reply at jboss.com
Thu May 24 13:24:20 EDT 2007
I've got a situation where I'm calling a finder method on an EJB (BeanA) and it is resulting in a call to ejbStore on another bean (BeanB) that was previously modified in the same transaction. The BeanB ejbStore makes a call into yet another bean (BeanC). Beans A, B, and C all run in the same transaction, but BeanA is configured to run-as Role1 and Beans B and C as Role2. BeanC is configured to only allow calls by Role2. (Also, Beans B and C are in a different EAR than BeanA).
The problem is that the call to ejbStore in BeanB actually still has the security context of BeanA (Role1) instead of running as Role2. So the call into BeanC results in an error, something like "Insufficient method permissions, runAsRole=Role1, method=myMethod, interface=LOCAL, requiredRoles=[Role2]".
I searched the JBoss source code (using JBoss 3.2.5) and saw that the finder call ends up executing org.jboss.ejb.EntityContainer.synchronizeEntitiesWithinTransaction but never seems to set the appropriate run-as identity when calling ejbStore on the entities it is synchronizing.
I saw a seemingly related post on this at http://jira.jboss.com/jira/browse/JBAS-4304 but it didn't seem to talk about this security aspect. I could possibly work around the issue using sync-on-commit-only (might not be a good option for us) or by attempting to make the finder call before making modifications in BeanB.
Is this issue addressed in a later release of the product? We have not really been able to upgrade recently, so my main question is: if this is truly an issue, does it only affect these ejbStore calls for finders, or is there anything else it would effect?
Thanks for your insight.
(Using JBoss 3.2.5 on Windows XP, Sun JDK 1.4.2_13)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048420#4048420
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048420
More information about the jboss-user