• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Is this security violation?

 
Ranch Hand
Posts: 185
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am unable to grasp the @RunAs concept in EJB security. Lets say, If I put a @RunAs("Admin") above a method in an EJB then won't I be allowing "Admin" access to any kind of user, since I am mentioning the method to use "Admin" privileges no matter what the propagated principal is?
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't think there's any security issue. The bean role will be changed, but not the caller's. Even if you set a @RunAs("admin") at the method, it doesn't mean that anybody can call it. It means that methods called by this bean will see the it as being an admin.
 
nitin pai
Ranch Hand
Posts: 185
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, Christophe.

Ok, So if I say that if a method of a bean makes an internal call to the method which has been declared @RunAs("Admin") then it can access the method's functionality even though the principal is different. Is it right?
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd rather say : if a bean which has been declared @RunAs("Admin") makes an internal call to a method which is configured to be access by the Admin role, then it can access that method's functionality even though the principal is different.

There's no security violation, but you have to be careful when using this annotation, as you could unintentionaly give access to some functionality which should usually be not accessible unless the user is assigned to a high level role.

By the way, @RunAs is set on a bean, not on methods.
 
joke time: What is brown and sticky? ... ... ... A stick! Use it to beat this tiny ad!
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic