[
https://issues.apache.org/jira/browse/GERONIMO-2868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12478074
]
Aman Nanner commented on GERONIMO-2868:
---------------------------------------
>From the J2EE 1.4 spec:
{quote}
J2EE.3.5.4 Run As Identities
J2EE products must also support the Run As capability that allows the
Application
Component Provider and the Deployer to specify an identity under which an
enterprise bean or web component must run. In this case it is the Run As
identity
that is propagated to subsequent EJB components, rather than the original caller
identity.
Note that this specification doesn't specify any relationship between the Run
As identity and any underlying operating system identity that may be used to
access system resources such as files. However, the Java Authorization Contract
for Containers specification does specify the relationship between the Run As
identity and the access control context used by the J2SE security manager.
{quote}
So you are correct ; the spec is saying that subsequent invocations from the
bean will be under the <run-as> identity.
However, there is still some kind of issue going on, since even with the
EjbRunAsInteceptor (but without my patch to it), my MDB could not invoke a
session EJB with restricted method permissions on it. I'll see if I can look
into this a bit further.
> Message Driven Beans will not run under the specified "run-as" Subject
> ----------------------------------------------------------------------
>
> Key: GERONIMO-2868
> URL: https://issues.apache.org/jira/browse/GERONIMO-2868
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: OpenEJB, security
> Affects Versions: 1.2
> Reporter: Aman Nanner
> Attachments: mdb-run-as.patch
>
>
> If a message driven bean is configured with a "run-as" element, it is being
> ignored and the message driven bean is not run as the specified Subject. The
> MDB would be configured in the ejb-jar.xml as follows:
> ----
> <message-driven>
> <display-name>TestMDB</display-name>
> <ejb-name>TestMDB</ejb-name>
> <ejb-class>com.acme.ejb.TestMDB</ejb-class>
> <transaction-type>Bean</transaction-type>
> <message-destination-type>javax.jms.Topic</message-destination-type>
> <activation-config>
> <activation-config-property>
> <activation-config-property-name>acknowledgeMode</activation-config-property-name>
> <activation-config-property-value>Auto-acknowledge</activation-config-property-value>
> </activation-config-property>
> <activation-config-property>
> <activation-config-property-name>messageSelector</activation-config-property-name>
> <activation-config-property-value>JOB_CODE =
> 'FOO'</activation-config-property-value>
> </activation-config-property>
> <activation-config-property>
> <activation-config-property-name>subscriptionDurability</activation-config-property-name>
> <activation-config-property-value>NonDurable</activation-config-property-value>
> </activation-config-property>
> </activation-config>
> <ejb-ref>
> <ejb-ref-name>ejb/common/TestEJB</ejb-ref-name>
> <ejb-ref-type>Session</ejb-ref-type>
> <home>com.acme.ejb.TestHome</home>
> <remote>com.acme.ejb.TestRemote</remote>
> <ejb-link>TestEJB</ejb-link>
> </ejb-ref>
> <security-identity>
> <run-as>
> <role-name>TESTROLE</role-name>
> </run-as>
> </security-identity>
> </message-driven>
> ----
> Upon inspection of the org.apache.openejb.mdb.DefaaultMdbContainer class, it
> is noted that the EjbRunAsInterceptor is not configured as part of the
> invocation step (as it is in
> org.apache.openejb.slsb.DefaultStatelessEjbContainer). Therefore, the run-as
> Subject is never being set as part of the Caller stack.
> I added the EjbRunAsInterceptor into the invocation stack and rebuilt
> Geronimo, but this didn't completely fix the problem. The
> EjbRunAsInterceptor is now being called, and the Subject is being set as the
> "next" caller in the ContextManager's caller stack. However, the
> EjbIdentityInterceptor runs next, and authorizes the invocation under the
> "current" caller, not the "next" caller. Thus, the run-as Subject does NOT
> perform the invocation.
> I'm not sure what the best way is to fix this without impacting everything
> else. If somebody with more knowledge in this area has a good idea, I can
> try it and submit a patch.
> Also note that this problem seems to imply that the "run-as" functionality
> wouldn't work with session EJBs either (I haven't tried to verify this).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
