On Feb 7, 2011, at 12:05 PM, Thiago Veronezi wrote: > Hi devs! > I'm trying to reproduce the issue reported here: > http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html > > <http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html>To > do it, I've changed one function of my current project: from > "uploadFilePart" method to "asyncUploadFilePart". Now I'm facing a problem > with the business logic. When my "async method" calls the "getMyFile" > method, the caller principal is "guest". I've ran the ejb.3.1.spec document, > but I didn't find what's the expected behaviour here. > > The question is: Should the "callerPrincipal" be the original caller, or > should it be the "guest" user for async method invocations?
Transaction and security state don't propagate to async methods, so guest is correct. It is possible to use the @RunAs on the async method to hard code it to run as a specific roll, however. On a slightly different angle, I think it should still be possible to use @RolesAllowed on an async method and get the security check done before the async method is queued. I'm not sure what our current behavior is in that regard, but it would be optimal. Don't think it's required by the spec -- certainly if we don't do it now, the TCK doesn't check for it. Thanks for working on this! -David
