About Question enthuware.oce-ejbd.v6.2.491 :

All the posts and topics that contain only an error report will be moved here after the error is corrected. This is to ensure that when users view a question in ETS Viewer, the "Discuss" button will not indicate the presence of a discussion that adds no value to the question.

Moderators: Site Manager, fjwalraven

Post Reply
damyrm
Posts: 3
Joined: Tue May 10, 2011 12:37 am
Contact:

About Question enthuware.oce-ejbd.v6.2.491 :

Post by damyrm »

Hello

It allows programmatic access to the security context in a message driven bean.
There is no direct client for a MDB. So there is no security context.

But I have a getCallerprincipal and isCallerInRole in the MessageDrivenContext
And I can use the @Runsas annotation.

So there is a security context ?

jszczepankiewicz

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Post by jszczepankiewicz »

In the MDB there is no client security principal propagation from the client. It runs in the container security context not the client. Bean provider or Application Assembler may use annotations or deployment descriptors to set the security context for the message listener methods. Thus you can use the standard tools to detect security context of the method. MessageDrivenContext extends EJBContext.

rkbansal83
Posts: 33
Joined: Sat Nov 24, 2012 8:52 am
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Post by rkbansal83 »

The explaination in the answer
In the MDB there is no client security principal propagation from the client. It runs in the container security context not the client. Bean provider or Application Assembler may use annotations or deployment descriptors to set the security context for the message listener methods. Thus you can use the standard tools to detect security context of the method. MessageDrivenContext extends EJBContext
I am not sure about the statement in bold , is it talking about setting the identity using @RunAs annotation ?

This identity, I believe is used to propagate the security context to other components called from Message listener method.

if we use EJBContext methods like isCallerInRole or getCallerPrincipal in message listener method itself, I believe they will still use the security context of container.

Christian

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Post by Christian »

There are actually two serious bugs in the explanation:
In the MDB there is no client security principal propagation from the client. It runs in the container security context not the client.

This is not true; according to the EJB 3.1 specification section 5.4.13 Security Context of Message-Driven Mean Methods:
A caller principal may propagate into a message-driven bean’s message listener methods. Whether this occurs is a function of the specific message-listener interface and associated messaging provider, but is not governed by this specification.
Secondly, as stated by rkbansal83, the @RunAs annotation / deployment descriptor is used to propagate the security context to other components called from Message listener method:
See section 17.3.4.1 Run-as:
Establishing a run-as identity for an enterprise bean does not affect the identities of its callers[...]. The run-as identity establishes the identity the enterprise bean will use when it makes calls.
So, it's wrong to say: because bean provider or Application Assembler may use annotations or deployment descriptors to set the security context for the message listener methods, you can use getCallerPrincipal and isCallerInRole in a MDB.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Post by admin »

You are right. This has now been fixed.

thank you for your feedback!
-Paul.
If you like our products and services, please help us by posting your review here.

Post Reply

Who is online

Users browsing this forum: No registered users and 30 guests