5 Replies Latest reply on Mar 12, 2007 1:51 PM by anil.saldhana

Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB which

sappenin Oct 10, 2006 4:44 PM

I am running JBAS 4.0.4GA_Patch1. I have an annotated EJB3 MDB, with the following annotations:

@SecurityDomain("myRealm")
@RunAs("system")
@RolesAllowed( {
 "admin", "system"
})

Inside of my MDB, I am calling a function on a SLSB (called "UserBean"). Inside of my SLSB UserBean, I execute the following call (notice the injected SessionContext):

@Resource SessionContext context;

public someFunc(..)
{
Principal p = this.context.getCallerPrincipal();
}

Now, this SLSB call works just fine if I access the SLSB from, say, a web-services call (I get the proper principal returned). However, when I call it from an MDB, I get the following exception: "java.lang.IllegalStateException: No valid security context for the caller identity".

After doing a bit of digging, I noticed that inside of the SecurityAssociation class, the peekRunAsIdentity() function is being called with a depth of 1. Inside of peekRunAsIdentity, the peek() function is trying to determine a valid "runas" role. If I debug this, I can see the correct "system" role in the stack (ArrayList) object, complete with an "anonymous" principal name. However, the depth always gets set to -1 inside of the peek function, and so the "RunAs" role is ignored. The peek() function (incorrectly) assumes that the principal is null, and throws an IllegalStateException.

Something seems amiss here...like I said, my code works fine, so long as its not invoked from an MDB. Can anybody comment on this?

Thanks!

David

1. Re: Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB wh

sappenin Oct 11, 2006 4:01 PM (in response to sappenin)

Ok, so I found various threads (like this one: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=37807 and http://www.jboss.org/index.html?module=bb&op=viewtopic&t=35269).

From what I can tell, the @RunAs annotation is merely specifying the "role" to use, whereas an MDB that calls a secured SLSB will not have a principal. The suggestions seem to be, "Just perform a JAAS login before accessing your SLSB, and you'll be ok".

However, something about this isn't sitting right with me.

1.) If the MDB RunAs annotation is merely providing a role, but no principal, shouldn't the "unauthenticated" identity get used, just with the @RunAs role? This isn't happening, since my unauthenticated identity is "guest" (in login-config.xml), the SecurityAssociation Stack (detailed above) is showing "anonymous" as the principal, and JBAS doesn't care about either....it is simply throwing an IllegalStateException whenever I try to access the principal inside of my SLSB (called from an MDB). (Error: java.lang.IllegalStateException: No valid security context for the caller identity).

2.) If I perform a programmatic JAAS login inside of my MDB, but just before calling my SLSB, everything works fine. However, shouldn't I be able to use the unauthenticated identiy coupled with the RunAs role in this scenario???

Any thoughts?

David
Actions
2. Re: Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB wh

sappenin Dec 14, 2006 6:55 PM (in response to sappenin)

Does anybody have any thoughts/opinion about the questions in my second post (above)?
Actions
3. Re: Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB wh

starksm64 Dec 16, 2006 8:26 AM (in response to sappenin)

The anonymous or configured run-as principal should be used the same as in the ejb2 mdb case. The current ejb3 security is being refactored to use a common and consistent codebase with the j2ee1.4 behaviors.
Actions
4. Re: Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB wh

judge2005 Mar 9, 2007 12:13 PM (in response to sappenin)

I just got bit by this too. Any news on when it will work?
Actions
5. Re: Bug in SecurityAssociation(?) - EJB3 MDB Calls a SLSB wh

anil.saldhana Mar 12, 2007 1:51 PM (in response to sappenin)

http://jira.jboss.com/jira/browse/JBAS-4198
Actions

Go to original post