Ok, I've found a solution. In the case with call to ejb from mbean I added a
SecurityAssociation.pushRunAsIdentity(new RunAsIdentity("System", "System"))
and corresponding pop around the operation.
In the case where I called from the web layer it turned out that I first call a
SLSB, which calls a method on an entity which tries to create another entity.
At that point the principal had been lost. I'm not sure why it didn't pick up
unauthenticated-principal at that point.
The solution for that was to add <security-identity><use-caller-identity
/></security-identity> to all beans in ejb-jar.xml. There seem to be a bug
there, according to
http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2/doc/Server_Configuration_Guide/J2EE_Declarative_Security_Overview-Security_Identity.html
it should be the default to use caller identity when no explicit
security-identity is present.
It seems the bug is in org.jboss.ejb.plugins.SecurityInterceptor#setContainer.
I've filed a bug report in jira at https://jira.jboss.org/jira/browse/JBAS-7405
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262295#4262295
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4262295
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
