You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2009/05/26 21:04:45 UTC
[jira] Commented: (GERONIMO-4367) default-subject does not work
with EJB security
[ https://issues.apache.org/jira/browse/GERONIMO-4367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713192#action_12713192 ]
David Jencks commented on GERONIMO-4367:
----------------------------------------
I think it's not clear how an ejb default subject ought to work. I'll try to explain my point of view.
DefaultSubject is supposed to provide an identity when there is no other source. If you don't specify a default identity, then geronimo will assign one that has no principals.
I think the ejb default subject is only relevant when a remote ejb request comes into the server with no authenticated identity. However all requests from a web app will have gone through the web app and it will have assigned a default identity. Therefore by the time a request gets from a web app to an ejb, it will have an identity and the ejb default subject won't be used.
>From looking at your sample app I think that this is what is happening. If you set the default subject you want in the web app I would expect it to work. Alternatively you could use a run-as role on the servlet.
> default-subject does not work with EJB security
> -----------------------------------------------
>
> Key: GERONIMO-4367
> URL: https://issues.apache.org/jira/browse/GERONIMO-4367
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.1.3, 2.2
> Reporter: Vamsavardhana Reddy
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: GERONIMO-4367-testcase.zip
>
>
> The default-subject does not seem to work with EJB security. I have verified this in the following scenario:
> I have a stateless bean BankBean1 as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> public class BankBean1 implements Bank {
> @RolesAllowed({"customer", "bank"})
> public Double getBalance(Integer account) {
> return data.get(account);
> }
>
> @RolesAllowed({"bank"})
> public Double creditAccount(Integer account, Double amt) {
> ...
> return value;
> }
> @RolesAllowed({"bank"})
> public Double debitAccount(Integer account, Double amt) {
> ...
> return value;
> }
> }
> I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and uses @RunAs as given below:
> @Stateless
> @DeclareRoles(value = {"bank", "customer"})
> @RunAs(value = "bank")
> public class BankBean2 implements Bank2 {
>
> @EJB
> private Bank bank; // BankBean1 gets injected here.
> public Double getBalance(Integer account) {
> return bank.getBalance(account);
> }
>
> public Double creditAccount(Integer account, Double amt) {
> return bank.creditAccount(account, amt);
> }
> public Double debitAccount(Integer account, Double amt) {
> return bank.debitAccount(account, amt);
> }
> }
> In the security mapping in openejb-jar.xml, if I specify a run-as-subject for "bank" role, BankBean2 is able to invoke BankBean1 as per that run-as-subject specified. But if I don't specify a run-as-subject, but only use a default-subject, BankBean2 is unable to invoke BankBean1 as per the default-subject specified.
> Also see http://www.nabble.com/How-is-the-default-subject-used-in-EJB-security--td20021936s134.html#a20021936
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.