My application has an ejb 2.1 timer, which triggers some work. The work must be done using the same principal that requested the work. So, I start the timer with an info object that contains the principal's login and password. When the timer expires, I try to authenticate using principal data from the info object, and run the task. I understand that it is not possible to change principal during execution of a business method, so I use the same code that I use on the client to authenticate, create a new bean and run it's methods, thus making the ejbTimeout method a client to the container. Here is the code:
| public void ejbTimeout(Timer timer) { | final OptInfo info = (OptInfo)timer.getInfo(); | try { | Properties p = new Properties(); | p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.LoginInitialContextFactory"); | p.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces"); | p.put(Context.PROVIDER_URL, "jnp://localhost:1099"); | p.put(Context.SECURITY_PRINCIPAL, info.user.username); | p.put(Context.SECURITY_CREDENTIALS, info.user.password); | p.put(Context.SECURITY_PROTOCOL, "client-login"); | | InitialContext ctx = new InitialContext(p); | Object home = ctx.lookup(WalkOptimizerHome.JNDI_NAME); | | WalkOptimizerHome optimizerHome = (WalkOptimizerHome)PortableRemoteObject.narrow(home, WalkOptimizerHome.class); | WalkOptimizer optimizer = optimizerHome.create(); | | optimizer.runOptimization(info); | } catch (NamingException e) { | Category.getInstance("WalkOptimizer").error("login failed (naming): " + e.getMessage()); | (remote): " + e.getMessage()); | } catch (CreateException e) { | Category.getInstance("WalkOptimizer").error("login failed (create): " + e.getMessage()); | } catch (SessionException e) { | Category.getInstance("WalkOptimizer").error("login failed (session): " + e.getMessage()); | } | } | Notice that I don't use the default InitialContext with properties supplied from the container, but force properties that would make the lookup be executed over the network. I also use the WalkOptimizer bean over the remote home and interface, hoping to hide the fact that these calls come from within the container. However, every time I get this in the log: | 2005-05-09 12:55:25,803 ERROR [WalkOptimizer] login failed (remote): SecurityException; nested exception is: | java.lang.SecurityException: Insufficient method permissions, runAsPrincipal=ejbTimeout, method=create, interface=HOME, requiredRoles=[admin], runAsRoles=[ejbTimeout] | I understand this means that the create call was made over the network (interface=HOME not LOCALHOME), but JBoss still communicated the current principal (ejbTimeout) behind my back, no matter what I specify in the InitialContext properties. My core intention to postpone some work, but the work must still be executed by a principal that represents a logged-in user. Maybe this is a completely wrong approach - in this case please don't bother with my code, but point me in the correct direction. I have carefully studied posts with similar titles, and all I see is some static security configuration that will make ejbTimeout or onMessage execute as some static principal, but this is not what I need. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3876975#3876975 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3876975 ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user