I'm using ctx.getCallerPrincipal() extensively for
fine-grained security which I control. I
depend only on JBoss to ensure that the caller
principal is set correctly on every invocation.
This works most of the time (with a fix I've discussed on this group earlier). However, I'm having one problem, and I don't know if it's a bug or if I'm violating the EJB spec.
In my "User" entity bean I want to get a reference to a different instance of "User". I do this:
public void myMethod( ) throws RemoteException {
....
UserHome h = ctx.getEJBHome();
User otherUser = h.findByPrimaryKey( key );
...
}
The problem is that the caller principal when I invoke methods on otherUser is NOT the caller principal from the calling thread. Rather, it is the caller principal which was used when my client retrieved the UserHome at an earlier point.
If it is legal to call "getEJBHome" inside of a bean, then there appears to be a bug in the way caller principal is propagated to the home.
(I recognize that an alternative is to lookup the home as an EJB reference using JNDI, and I assume the caller is propagated that way. However, it seems to me "getEJBHome" should work also.)
Keith L. Musser
Integrated Dynamics, Inc.
812-371-7777
email: [EMAIL PROTECTED]
This works most of the time (with a fix I've discussed on this group earlier). However, I'm having one problem, and I don't know if it's a bug or if I'm violating the EJB spec.
In my "User" entity bean I want to get a reference to a different instance of "User". I do this:
public void myMethod( ) throws RemoteException {
....
UserHome h = ctx.getEJBHome();
User otherUser = h.findByPrimaryKey( key );
...
}
The problem is that the caller principal when I invoke methods on otherUser is NOT the caller principal from the calling thread. Rather, it is the caller principal which was used when my client retrieved the UserHome at an earlier point.
If it is legal to call "getEJBHome" inside of a bean, then there appears to be a bug in the way caller principal is propagated to the home.
(I recognize that an alternative is to lookup the home as an EJB reference using JNDI, and I assume the caller is propagated that way. However, it seems to me "getEJBHome" should work also.)
Keith L. Musser
Integrated Dynamics, Inc.
812-371-7777
email: [EMAIL PROTECTED]
