default-subject does not work with EJB security
-----------------------------------------------
Key: GERONIMO-4367
URL: https://issues.apache.org/jira/browse/GERONIMO-4367
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security
Affects Versions: 2.1.3, 2.2
Reporter: Vamsavardhana Reddy
Fix For: 2.2
The default-subject does not seem to work with EJB security. I have verified
this in the following scenario:
I have a stateless bean BankBean1 as given below:
@Stateless
@DeclareRoles(value = {"bank", "customer"})
public class BankBean1 implements Bank {
@RolesAllowed({"customer", "bank"})
public Double getBalance(Integer account) {
return data.get(account);
}
@RolesAllowed({"bank"})
public Double creditAccount(Integer account, Double amt) {
...
return value;
}
@RolesAllowed({"bank"})
public Double debitAccount(Integer account, Double amt) {
...
return value;
}
}
I have a second stateless bean BankBean2 that has a reference injected to
BankBean1 and uses @RunAs as given below:
@Stateless
@DeclareRoles(value = {"bank", "customer"})
@RunAs(value = "bank")
public class BankBean2 implements Bank2 {
@EJB
private Bank bank; // BankBean1 gets injected here.
public Double getBalance(Integer account) {
return bank.getBalance(account);
}
public Double creditAccount(Integer account, Double amt) {
return bank.creditAccount(account, amt);
}
public Double debitAccount(Integer account, Double amt) {
return bank.debitAccount(account, amt);
}
}
In the security mapping in openejb-jar.xml, if I specify a run-as-subject for
"bank" role, BankBean2 is able to invoke BankBean1 as per that run-as-subject
specified. But if I don't specify a run-as-subject, but only use a
default-subject, BankBean2 is unable to invoke BankBean1 as per the
default-subject specified.
Also see
http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
