I would suppose (however I am not sure here) that following method calling getCallerPrincipal() will return "student" and "notebook" (or at least student, when calling notebook's principal - in the case below) values and not "anonymous" value. From EJB spec in 12.3.4.1 Run-as:
The Deployer then assigns a security principal defined in the operational environment to be used as the
principal for the run-as identity. The security principal assigned by the Deployer should be a principal
that has been assigned to the security role specified by RunAs annotation ...
Note that I created ApplicationUsers, which maps to the roles of same name (student=student, etc. in application-roles.properties)
This could be IMHO somehow enforced. In JSR-250 2.8
javax.annotation.security.RunAs there is:
The RunAs annotation defines the role of the application during execution in a Java
EE container. It can be specified on a class. This allows developers to execute an
application under a particular role. The role MUST map to the user / group
information in the container’s security realm.
@Named @Stateless @RunAs("student") @SecurityDomain("other") @PermitAll public class Student { @Resource private SessionContext context; @EJB Notebook notebook; public String getNotebookPrincipal(){ return notebook.getCallerPrincipal(); } public String getStudentPrincipal(){ return context.getCallerPrincipal().toString(); } }
@Stateless @RunAs("notebook") @SecurityDomain("other") @RolesAllowed("student") public class Notebook { @Resource private SessionContext context; public String getCallerPrincipal(){ return context.getCallerPrincipal().toString(); }
}
- is related to
-
CDITCK-421 Tests using security annotations are not portable
-
- Resolved
-
-
-
- Closed
-
