default-subject does not work with EJB security -----------------------------------------------
Key: GERONIMO-4367 URL: https://issues.apache.org/jira/browse/GERONIMO-4367 Project: Geronimo Issue Type: Bug Security Level: public (Regular issues) Components: security Affects Versions: 2.1.3, 2.2 Reporter: Vamsavardhana Reddy Fix For: 2.2 The default-subject does not seem to work with EJB security. I have verified this in the following scenario: I have a stateless bean BankBean1 as given below: @Stateless @DeclareRoles(value = {"bank", "customer"}) public class BankBean1 implements Bank { @RolesAllowed({"customer", "bank"}) public Double getBalance(Integer account) { return data.get(account); } @RolesAllowed({"bank"}) public Double creditAccount(Integer account, Double amt) { ... return value; } @RolesAllowed({"bank"}) public Double debitAccount(Integer account, Double amt) { ... return value; } } I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and uses @RunAs as given below: @Stateless @DeclareRoles(value = {"bank", "customer"}) @RunAs(value = "bank") public class BankBean2 implements Bank2 { @EJB private Bank bank; // BankBean1 gets injected here. public Double getBalance(Integer account) { return bank.getBalance(account); } public Double creditAccount(Integer account, Double amt) { return bank.creditAccount(account, amt); } public Double debitAccount(Integer account, Double amt) { return bank.debitAccount(account, amt); } } In the security mapping in openejb-jar.xml, if I specify a run-as-subject for "bank" role, BankBean2 is able to invoke BankBean1 as per that run-as-subject specified. But if I don't specify a run-as-subject, but only use a default-subject, BankBean2 is unable to invoke BankBean1 as per the default-subject specified. Also see http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.