On Oct 16, 2008, at 1:14 PM, Vamsavardhana Reddy wrote:
I have a stateless bean BankBean1 as given below: @Stateless @DeclareRoles(value = {"bank", "customer"}) public class BankBean1 implements Bank { @RolesAllowed({"customer", "bank"}) public Double getBalance(Integer account) { return data.get(account); } @RolesAllowed({"bank"}) public Double creditAccount(Integer account, Double amt) { ... return value; } @RolesAllowed({"bank"}) public Double debitAccount(Integer account, Double amt) { ... return value; } }I have a second stateless bean BankBean2 that has a reference injected to BankBean1 and uses @RunAs as given below:@Stateless @DeclareRoles(value = {"bank", "customer"}) @RunAs(value = "bank") public class BankBean2 implements Bank2 { @EJB private Bank bank; // BankBean1 gets injected here. public Double getBalance(Integer account) { return bank.getBalance(account); } public Double creditAccount(Integer account, Double amt) { return bank.creditAccount(account, amt); } public Double debitAccount(Integer account, Double amt) { return bank.debitAccount(account, amt); } }In the security mapping in openejb-jar.xml, if I specify a run-as- subject for "bank" role, BankBean2 is able to invoke BankBean1 as per that run-as-subject specified. But if I don't specify a run-as- subject, but only use a default-subject, BankBean2 is unable to invoke BankBean1 as per the default-subject specified. I guess the default-subject is being ignored. This is not the case with run-as- subject and default-subject used in geronimo-web.xml. In the absence of run-as-subject I notice that default-subject is used. I am wondering how the default-subject is used in ejb security.
What is the default-subject you have specified? I'd expect it would be used if no run-as subject is specified for the role. If you are trying to tell us that you have specified a default subject with a principal that maps to the "bank" role and you still can't access the BankBean1 then I think you've found a bug.... jira time :-)
Note that our security system requires some extra configuration for the run-as role to actually work, you need to specify a subject corresponding to the run-as role. You are expected to assure that some principal in this subject actually maps to the run-as role but this is not enfforced.
thanks david jencks
++Vamsi
