[jboss-user] [Security] - Re: Problems with authentication on EJB2

[sverker]

Ok, I've found a solution. In the case with call to ejb from mbean I added a SecurityAssociation.pushRunAsIdentity(new RunAsIdentity("System", "System")) and corresponding pop around the operation.

In the case where I called from the web layer it turned out that I first call a SLSB, which calls a method on an entity which tries to create another entity. At that point the principal had been lost. I'm not sure why it didn't pick up unauthenticated-principal at that point.

The solution for that was to add <security-identity><use-caller-identity /></security-identity> to all beans in ejb-jar.xml. There seem to be a bug there, according to http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2/doc/Server_Configuration_Guide/J2EE_Declarative_Security_Overview-Security_Identity.html it should be the default to use caller identity when no explicit security-identity is present.

It seems the bug is in org.jboss.ejb.plugins.SecurityInterceptor#setContainer. I've filed a bug report in jira at https://jira.jboss.org/jira/browse/JBAS-7405

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262295#4262295

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4262295