Thanks for the prompt answer. Is there any plan (or patches-out-there) that would forward the run-as role to the application component. Is JBoss 3.x similar? I do not know the J2EE spec well enough but guess that it must be a grey area. However, the current implementation is "counter-intuitive". Our beans can be accessed by a client app but also MDB and timer clients.
We tried to do a JAAS login in the schedulable task (using the MBean Timer) but it does not seem to work, it is still using the unauthenticatedIdentity, has anyone managed this? We might want to have a look at propagating the role, if there is some interest and it is not "wrecking" the current architecture, could you give us any pointer? Many thanks Benoit >That is the current implemented behavior. The run-as role is only available to >the declarative security layer, not the application component. >xxxxxxxxxxxxxxxxxxxxxxxx >Scott Stark >Chief Technology Officer >JBoss Group, LLC >xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Benoit Xhenseval" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 18, 2002 1:17 PM Subject: [JBoss-user] Security Roles not accessible in beans? > Hi > > We are using JBoss 2.4.4. with JAAS and the DatabaseUserLoginModule. > > In some part of the ejb code, we are using getContext().isCallerInRole(xxxxx) > and everything works fine... Except in this case and we wonder if > 1/ it is normal behaviour > 2/ it is a bug > 3/ if there is a workaround or patch... > > Here is the scenario: > > One Stateless Session bean, say bean1, has the security set to <unchecked/> as it is >called by the > MBEAN Timer. > The JAAS module defines "nobody" as the unauthenticated user. > The Session bean defines <run-as>Manager</Manager> in the ejb-jar.xml as the bean >will call other > beans, say bean2. bean2 has security only allowing users with role "Manager" to >access it. > > The symptom: the context in bean2 does not seem to have ANY role when it called >from the bean1. > bean1 can access bean2 but bean2 ALWAYS fails on getContext().isCallerInRole(xxxxx) > > It works fine from a client with a JAAS login, we can test the roles if required. > > getContext().getCallerPrincipal().getName() will give you "nobody" as expected. > > We were under the impression that the <run-as> role should be passed to the context >in bean2! Is > it a know bug? Has anyone faced something similar? > > Many thanks in advance, > > Benoit. __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
