[
https://issues.apache.org/jira/browse/GERONIMO-2868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aman Nanner updated GERONIMO-2868:
----------------------------------
Attachment: mdb-default-subject-interceptor.patch
Ok, here's a first pass at a patch for this issue. It's causing several test
failures and errors that I have not yet had a chance to look into.
> Message Driven Beans will not run under the specified "run-as" Subject
> ----------------------------------------------------------------------
>
> Key: GERONIMO-2868
> URL: https://issues.apache.org/jira/browse/GERONIMO-2868
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: OpenEJB, security
> Affects Versions: 1.2
> Reporter: Aman Nanner
> Assigned To: David Jencks
> Attachments: mdb-default-subject-interceptor.patch, mdb-run-as.patch
>
>
> If a message driven bean is configured with a "run-as" element, it is being
> ignored and the message driven bean is not run as the specified Subject. The
> MDB would be configured in the ejb-jar.xml as follows:
> ----
> <message-driven>
> <display-name>TestMDB</display-name>
> <ejb-name>TestMDB</ejb-name>
> <ejb-class>com.acme.ejb.TestMDB</ejb-class>
> <transaction-type>Bean</transaction-type>
> <message-destination-type>javax.jms.Topic</message-destination-type>
> <activation-config>
> <activation-config-property>
> <activation-config-property-name>acknowledgeMode</activation-config-property-name>
> <activation-config-property-value>Auto-acknowledge</activation-config-property-value>
> </activation-config-property>
> <activation-config-property>
> <activation-config-property-name>messageSelector</activation-config-property-name>
> <activation-config-property-value>JOB_CODE =
> 'FOO'</activation-config-property-value>
> </activation-config-property>
> <activation-config-property>
> <activation-config-property-name>subscriptionDurability</activation-config-property-name>
> <activation-config-property-value>NonDurable</activation-config-property-value>
> </activation-config-property>
> </activation-config>
> <ejb-ref>
> <ejb-ref-name>ejb/common/TestEJB</ejb-ref-name>
> <ejb-ref-type>Session</ejb-ref-type>
> <home>com.acme.ejb.TestHome</home>
> <remote>com.acme.ejb.TestRemote</remote>
> <ejb-link>TestEJB</ejb-link>
> </ejb-ref>
> <security-identity>
> <run-as>
> <role-name>TESTROLE</role-name>
> </run-as>
> </security-identity>
> </message-driven>
> ----
> Upon inspection of the org.apache.openejb.mdb.DefaaultMdbContainer class, it
> is noted that the EjbRunAsInterceptor is not configured as part of the
> invocation step (as it is in
> org.apache.openejb.slsb.DefaultStatelessEjbContainer). Therefore, the run-as
> Subject is never being set as part of the Caller stack.
> I added the EjbRunAsInterceptor into the invocation stack and rebuilt
> Geronimo, but this didn't completely fix the problem. The
> EjbRunAsInterceptor is now being called, and the Subject is being set as the
> "next" caller in the ContextManager's caller stack. However, the
> EjbIdentityInterceptor runs next, and authorizes the invocation under the
> "current" caller, not the "next" caller. Thus, the run-as Subject does NOT
> perform the invocation.
> I'm not sure what the best way is to fix this without impacting everything
> else. If somebody with more knowledge in this area has a good idea, I can
> try it and submit a patch.
> Also note that this problem seems to imply that the "run-as" functionality
> wouldn't work with session EJBs either (I haven't tried to verify this).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
