Hello list, how can a MDB or more generally an unsecured EJB be set up to authenticate when invoking another secured (only users with a specific role may invoke) EJB? I think impersonation is the right technique and thought EJB supports it with the run-as statement.
I've taken a look into the JBoss SecurityInterceptor and learned that run-as-roles are additive to the roles a caller already has. The EJB-Spec states that such a role is invisible for the bean with the run-as-role setting but for beans called from this bean the caller has the run-as-role additionally. But what happens (as in case of MDBs) if there is no (authenticated) caller, whoever? Somewhere I've read (maybe EJB-Spec.) that a container facing a run-as-role takes one of the users with this role as principal. WebLogic has an appserver specific setting "run-as-principal-name" (XDoclet tag: @weblogic.run-as-identity-principal) that allows to choose an user with the run-as-role manually if there are several. In experiments with JBoss 3.2.1 I couldn't get a behaviour that meet my expectations: Shouldn't the setting of a run-as-role (that is the condition for being able to invoke methods on another bean) be enough since all J2EE security-settings are role-based!? But SecurityInterceptor throws already an exception if there is no user identity supplied and doesn't seem to set the principal to one of the users with that role. Can somebody clear up some things? Thanks for suggestions. I've only found the following article showing some expendable workarounds for such a problem: http://www.luminis.nl/publications/websecurity.html Anyway, in appreciation of JBoss' mightfulness, S. Pohl ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
