Details
-
Bug
-
Resolution: Obsolete
-
Major
-
8.0.0.CR1, 8.1.0.CR2
-
None
Description
3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed
Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.
According to EJB spec, 12 Security management, 12.1 Overview:
"By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."
12.3.4 Specification of Security Identities in the Deployment Descriptor:
"The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."
etc.
@Stateless @RunAs("printer") @PermitAll public class Printer { @EJB HelperBean hb; public void invokeHelperBean() { hb.invokeToner(); } }
@Stateful public class HelperBean { @EJB Toner toner; public void invokeToner() { toner.spill(); } }
@Stateless @RolesAllowed("printer") public class Toner { public void spill() {} }
A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext
Attachments
Issue Links
- is related to
-
CDITCK-384 Create tests for observer method invocation context
-
- Resolved
-
- relates to
-
-
- Closed
-
