Currently the org.jboss.ejb.EnterpriseContext.EJBContextImpl is not
enforcing that it must be called from within a security context and that
it never returns null. If there is no realmMapping this method should be
throwing an IllegalStateException. Never returning null should be the
responsibility of the RealmMapping implementation. Can I add the
throw of the IllegalStateException to the current implementation?
Current getCallerPrincipal implementation:
public Principal getCallerPrincipal()
{
if (beanPrincipal == null && principal != null) {
if (con.getRealmMapping() == null) {
beanPrincipal = principal;
} else {
beanPrincipal = con.getRealmMapping().getPrincipal(principal);
}
}
return beanPrincipal;
}
Spec info:
<ejb 1.1 spec>
6.6.1 Operations allowed in the methods of a stateful
session bean class
...
Page 61,
Invoking the getCallerPrincipal and isCallerInRole
methods is disallowed in the session bean methods for
which the Container does not have a client security context.
...
15.6.5 Security methods in javax.ejbEJBContext
The EJB Container must provide access to the caller's
security context information from the enterprise
beans' instances via the getCallerPrincipal() and
isCallerInRole(String role-Name) methods. The EJB
Container must provide this context information during
the execution of a business method invoked via the
enterprise bean's remote or home interface, as defined
in Table 2 on page 60, Table 3 on page 70, and Table 4
on page 111.
The Container must ensure that all enterprise bean method
invocations received through the home and remote interface
are associated with some principal. The Container must
never return a null from the getCallerPrincipal() method.
</ejb 1.1 spec>
