• Post Reply Bookmark Topic Watch Topic
  • New Topic

Caller principle lost when Service EJB calls dao EJB using @RunAs

 
matt mcgrillis
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I'm stumped...

I have a JSF which calls a serviceEJB which in turn calls a daoEJB. Now when serviceEJB calls getUserPrinciple it returns the principle correctly. serviceEJB then calls methodA of daoEJB with a @RunAs set to “SERVICE” (to stop the JSF web client being able to call daoEJB directly). Though when I call getUserPrinciple within daoEJB gets a caller principle on ‘anonymous’ instead of the correct principle set by JAAS.

Now you can use @RunAsPrincipal... to manually set the principal when the dao EJB is delared... but as far as I can see, there's no way of passing in the original principal

Now I could remove the RunAs though this screws up my security model as in theory my JSF beans could call my dao EJBs directly (which I don't want)

Does anyone know of any way of retaining the orignal principal set by jaas when an ejb calls another ejb when @RunAs is being set

I'm using JBOSS 5

Thanks in advance

Matt
 
Reza Rahman
author
Ranch Hand
Posts: 580
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Matt,

There isn't a standards defined way (run-as is basically intended to be one-way). There may be JBoss-specific APIs to do this, though. It might be worth asking on JBoss resources?

Hope it helps,
Reza

 
matt mcgrillis
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Surely there's a hole in the spec if this anyone using a Service-DAO ejb pattern can't use caller principle in the DAO?

I can't be the first to of hit this type of problem, whereby I need to use 'run as' to change the ROLE in the service so the DAO can't be called directly(by using RolesAllowed)...

I just don't understand why it is acceptable to change the Principle? Surely it should be fine to let that be set by JAAS and maintained, and just the role changed by 'run as' rather than changing the role (as expected) but also deleting the principle?

Does anyone know if there is another way round getting the DAOs not be called by the webclient without using RunAs?
 
Reza Rahman
author
Ranch Hand
Posts: 580
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Matt,

I typically use the container for declarative security, nothing more. So one-way run-as is sufficient (in fact, that's how all security systems that I know of operate on this feature).

As I said though, it is worth checking with a vendor to see if they offer anything.

Regards,
Reza
 
matt mcgrillis
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Reza,

Thanks for your help.

I would have though this method was still 'one way' so so speak -it's just I need the Principal set by JAAS to be retained, instead of changing the principal when 'RunAs' changes the role?

I've posted the question on the jboss forums too, but no real answers are coming back unfortunately.

How do you get the second bean (dao) to know who the caller principal is? Without removing the run as from the first (service) ejb is I guess my question?

...and if you remove the run as from the service bean... more importanly... how could you stop the JSF backing beans accessing the second DAO ejb directly?

I'm guessing there must be a way... as thats all I'm try to achieve by all this anyway...?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!