Source:11.3.8. Changing the Invocation Security Role
OCP JavaEE 6 EJB Developer Study Notes by Ivan A Krizsan Version: April 8, 2012
The explanation for the example is given as:
When executing in the StatelessSession1Bean, the name of the principal is "johnny" and the
caller is in the security role "plainusers".
A. The first session bean, StatelessSession1Bean, did not succeed in invoking the
superusersOnlymethod on the second session bean, StatelessSession2Bean.
This is not entirely surprising, as the caller is in the role "plainusers" when executing in the
first session bean.
B. When executing in the StatelessSession2Bean, the name of the principal has changed to
"runas-superuser" and the caller is neither in the security role "superusers" nor in the role
C. Remember that we configured a user named "runas-superuser" in the GlassFish server
which belongs to the “super-users” group.
So despite the "runas-superuser" belonging to the same group as the user "ivan", running
with the former principal still does not allow us to invoke the superusersOnlymethod on the
StatelessSession2Bean. This is because the "runas-superuser" is mapped to another security
role, the "runasadmin" role.
My Understanding: When mSessionBean1.greeting(theRequestNameParam); is executed from EJBClientServlet,name of the principal is "johnny" and the caller is in the security role "plainusers".
However,when StatelessSession1Bean tries to invoke mSessionBean2.superusersOnly()
Question1: The caller is in the role "plainusers" or "runasadmin" ?
Question2.Statement A states that caller is in role of "plainusers" while the statement C states caller is in "runasadmin" role(See statements in Italics).Aren't the two contradictory ?