I researched this a little more. My example above is actually wrong. I tried to simplify my actual problem, and simplified it too far.
According to EJB 3.0 Section 17.2.5.2: anonymous wrote : | Note that isCallerInRole(String roleName) tests the principal that represents the | caller of the enterprise bean, not the principal that corresponds to the run-as security identity | for the bean, if any. | So my above example will never print true in a compliant container. However my real problem is actually the more complex example (properly using RunAs): | public interface CalleeSessionBean { | public void execute(); | } | | @Stateless | @TransactionManagement(TransactionManagementType.CONTAINER) | @Remote(CalleeSessionBean.class) | @Local(CalleeSessionBean.class) | public class CalleeSessionBeanImpl implements CalleeSessionBean { | @Resource | private SessionContext context; | | public void execute() { | System.out.println("CallerPrincipal: " + context.getCallerPrincipal().getName()); | System.out.println("CallerInRole(testRole): " + context.isCallerInRole("CallerRole")); | } | } | | public interface CallerSessionBean { | public void execute(); | } | | @Stateless | @TransactionManagement(TransactionManagementType.CONTAINER) | @Remote(CallerSessionBean.class) | @Local(CallerSessionBean.class) | @RunAs("CallerRole") | public class CallerSessionBeanImpl implements CallerSessionBean { | @Resource | private SessionContext context; | | public void execute() { | InitialContext initialContext = new InitialContext(); | CalleeSessionBean callee = initialContext.lookup("CalleeSessionBean/local"); | callee.execute(); | } | } | In this case, the Callee still prints false, despite the fact it should have aquired the RunAs CallerRole. I traced through the code and the problem is due to https://jira.jboss.org/jira/browse/EJBTHREE-741, a defect in the RunAsSecurityInterceptor. Even though the issue claims it was applied to AS 4.2.0, it does not appear to be. It is however applied to the 5.0.0+ branches. Bottom Line: the answer to my own question is: The @RunAs EJB 3.0 annotation is broken in the 4.2.x branches, but does work correctly in the 5.x branches. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4226028#4226028 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4226028 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user