RunAs and EJBCallerPrincipal

Oct 14, 2013 11:38:52

Hi, I am trying to invoke a Session Bean BeanA's methodA ()via an MDB MDB1. Both MDB1 and SessionBean BeanA has RunAs("my user") annotation on it.
The user has been mapped on WAS 7 to correct roles.

I am trying to get the CalllerPrincipal from,
- the ejbcontext in the methodA of the BeanA and
- the messagedrivenbeancontext in onMessage method of MDB1.

At both places i get UNAUTHENTICATED for the caller principal
How can i get the RunAs User in the session bean, BeanA's method A.

Oct 14, 2013 12:36:10

Hi,

I am not sure whether I understand you correctly, but the MBD is calling you Session bean, right?

In that case there is no Principal involved as MBD's don't have a client.

Regards,
Frits

Oct 14, 2013 14:52:03

Frits, you have understood me correctly.
MDBs are calling session bean but MDB has been configured as RUNAS(my user) also the Session Bean has been configured as RunAs(My User)

Are you saying, since MDBs dont have a client to access them, there is no way i can get callerPrincipal ?
Does RunAs not alter the caller principal atleast on Session beans?

What are my alternatives.
Actually my session bean is supposed to set principal object it recieves in Database Session
Its currently setting up 'UNAUTHENTICATED'. Is there a way i can pass the 'myuser' principal to my Session bean or is there any other option to pass the myuser user?

Oct 14, 2013 23:19:40

Are you saying, since MDBs dont have a client to access them, there is no way i can get callerPrincipal ?

Yes, as there is no authentication in place, there is no Principal involved (unless you have something ejb-container vendor dependent feature)
From the EJB3.1 specs:

5.4.13 Security Context of Message-Driven Bean Methods
A caller principal may propagate into a message-driven bean's message listener methods. Whether this occurs is a function of the specific message-listener interface and associated messaging provider, but is not governed by this specification.

Where do you you thought you would get your Principal from?

Does RunAs not alter the caller principal atleast on Session beans?

Nope, The RunAs annotation just tells the bean to play in another role (you are altering the Role of the Principal, not the name)

What are my alternatives.

Check the messaging provider if and how it is possible to map a user to a MDB.

Regards,
Frits

Oct 15, 2013 16:12:33

thanks frits. I will check the documentation. I know in WAS i can get somethign like a SUBJECT but will need to see if that solves my problems.

Oct 22, 2013 14:58:23

I finally solved it by Having a RunAs annotation on MDB and configuring its binding file[ibm-application-bnd.xml] like this.

and also adding @DeclareRoles({"Authenticated"}) on top of my sesion bean that is invoked from the mdb.
that gives me the principal from the sessioncontext.
ejb-jar.xml looks like this

Oct 22, 2013 23:49:41

Thanks for coming back and putting your solution here.

Regards,
Frits

N.B. I have added "Code" tags around the XML-code. You can do that yourself next time by pressing the "Code" button

There’s no place like 127.0.0.1. But I'll always remember this tiny ad:

a bit of art, as a gift, the permaculture playing cards

https://gardener-gift.com