-
Bug
-
Resolution: Done
-
Critical
-
EJB 3.0 Beta 1
-
None
-
None
When @RunAs is used, Principal returned from SessionContext.getCallerPrincipal() is "anonymous". This is contrary to the EJB2.1 spec, section 21.2.5.1 Use of getCallerPrinicpal:
"Note that getCallerPrincipal returns the principal that represents the caller of the
enterprise bean, not the principal that corresponds to the run-as security identity for the bean, if any."
On the next page of the spec is an example of how to use getCallerPrincipal() which will break in JBoss if you apply @RunAs to the ejb method.
It looks like the problem is that SecurityAssociation.getCallerPrinicpal() is simply a cut-and-paste of SecurityAssociation.getPrincipal().