[jboss-user] [Security & JAAS/JBoss] - @RunAs in JBoss 5 - Caller unauthorized in second call
komet_1978
do-not-reply at jboss.com
Wed May 27 05:01:18 EDT 2009
Hallo,
I've noticed the following strange behaviour using the @RunAs annotation in a secured STSB.
I've tried JBoss 5.0.1.GA and 5.1.0.GA.
Take a look at the following simple scenario: three secured STSBs Caller, A and B. Caller runs as Admin defined by @RunAs("Admin") annotation and uses the role Admin for all method calls on other STSBs, STSB A allowes access only by Admins (realize by @RolesAllowed("Admin") annotation) , the same definition can be found in the STSB B. All STSBs are in the same security domain defined by @SecurityDomain("foo").
1) Authorized Client calls Caller method (the Client hasn't got the role "Admin")
2) Caller method calls A method (as a "Admin")
3) A method calls B method. (I supposed that the "Admin" role is propagated to the second call)
1) and 2) are ok.
3) throws "Caller unauthorized" exception.
Is this a bug or a feature?
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233507#4233507
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4233507
More information about the jboss-user
mailing list