[jboss-user] [Security & JAAS/JBoss] - @RunAs in JBoss 5 - Caller unauthorized in second call

[komet_1978]

Hallo,

I've noticed the following strange behaviour using the @RunAs annotation in a secured STSB. 

I've tried JBoss 5.0.1.GA and 5.1.0.GA.

Take a look at the following simple scenario: three secured STSBs Caller, A and B. Caller runs as Admin defined by @RunAs("Admin") annotation and uses the role Admin for all method calls on other STSBs, STSB A allowes access only by Admins (realize by @RolesAllowed("Admin") annotation) , the same definition can be found in the STSB B. All STSBs are in the same security domain defined by @SecurityDomain("foo"). 

1) Authorized Client calls Caller method (the Client hasn't got the role "Admin")
2) Caller method calls A method (as a "Admin")
3) A method calls B method. (I supposed that the "Admin" role is propagated to the second call)

1) and 2) are ok.
3) throws "Caller unauthorized" exception.

Is this a bug or a feature?

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233507#4233507

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4233507