4 Replies Latest reply on May 14, 2009 12:15 PM by ezs

    @RunAs doesn't work for @Service beans

      The behavior of security domains on @Service beans has changed from 4.2 to 5.0.1. @RunAs no longer works. This seems to make it impossible for a @Service to call a secured bean.

      Take two @Services, one ClientService and one ServerService. Here's the ServerService, note that it requires the "admin" role:

      @Service(objectName="test:service=Server")
      @SecurityDomain("foo")
      @RolesAllowed("admin")
      public class ServerService implements ServerManagement, Server
      {
       public void serve() {...}
      }
      


      The client tries to call the server:

      @Service(objectName="test:service=Client")
      @SecurityDomain("foo")
      @RunAs("admin")
      public class ClientService implements ClientManagement
      {
       @EJB Server server;
      
       public void start() { server.serve(); }
      }
      


      This generates exceptions "No security context set". Alternatively, if the Server is a stateless session ejb, the exception is "Caller unauthorized".

      This worked in 4.2. Is there a workaround for 5.0.1?

      Thanks,
      Jeff