You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by Thiago Veronezi <th...@veronezi.org> on 2011/02/07 21:05:22 UTC
async method invocation and the "CallerPrincipal"
Hi devs!
I'm trying to reproduce the issue reported here:
http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html
<http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html>To
do it, I've changed one function of my current project: from
"uploadFilePart" method to "asyncUploadFilePart". Now I'm facing a problem
with the business logic. When my "async method" calls the "getMyFile"
method, the caller principal is "guest". I've ran the ejb.3.1.spec document,
but I didn't find what's the expected behaviour here.
The question is: Should the "callerPrincipal" be the original caller, or
should it be the "guest" user for async method invocations?
******************************************************************************************************
@Override
public File getMyFile(Long uid) {
final FileEAO fileeao = eaoBuilder.getInstance(FileEAO.class);
final File file = fileeao.findByUid(uid);
if(file == null) {
return file;
}
final String user = sctx.getCallerPrincipal().getName();
if(!user.equals(file.getUser().getAccount())) {
throw new SystemException("The user " + user + " is not the owner of this
file");
}
return file;
}
@Override
@Asynchronous
public Future<Long> asyncUploadFilePart(long fileUid, int sequence, byte[]
part, int size) {
final FileEAO fileeao = eaoBuilder.getInstance(FileEAO.class);
final File file = getMyFile(fileUid);
final Long partUid = fileeao.savePart(file, sequence, part, size);
return new AsyncResult<Long>(partUid);
}
******************************************************************************************************
[]s,
Thiago.
Re: async method invocation and the "CallerPrincipal"
Posted by David Blevins <da...@visi.com>.
On Feb 7, 2011, at 12:05 PM, Thiago Veronezi wrote:
> Hi devs!
> I'm trying to reproduce the issue reported here:
> http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html
>
> <http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html>To
> do it, I've changed one function of my current project: from
> "uploadFilePart" method to "asyncUploadFilePart". Now I'm facing a problem
> with the business logic. When my "async method" calls the "getMyFile"
> method, the caller principal is "guest". I've ran the ejb.3.1.spec document,
> but I didn't find what's the expected behaviour here.
>
> The question is: Should the "callerPrincipal" be the original caller, or
> should it be the "guest" user for async method invocations?
Transaction and security state don't propagate to async methods, so guest is correct. It is possible to use the @RunAs on the async method to hard code it to run as a specific roll, however.
On a slightly different angle, I think it should still be possible to use @RolesAllowed on an async method and get the security check done before the async method is queued. I'm not sure what our current behavior is in that regard, but it would be optimal. Don't think it's required by the spec -- certainly if we don't do it now, the TCK doesn't check for it.
Thanks for working on this!
-David