Enthuware

Java Certification Resources and Java Discussion Forum
https://www.enthuware.com/forum/

About Question enthuware.oce-ejbd.v6.2.491 :

https://www.enthuware.com/forum/viewtopic.php?f=38&t=466

Page 1 of 1

About Question enthuware.oce-ejbd.v6.2.491 :

Posted: Sat May 14, 2011 1:32 am
by damyrm
Hello

It allows programmatic access to the security context in a message driven bean.
There is no direct client for a MDB. So there is no security context.

But I have a getCallerprincipal and isCallerInRole in the MessageDrivenContext
And I can use the @Runsas annotation.

So there is a security context ?

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Posted: Sun May 15, 2011 6:19 am
by jszczepankiewicz
In the MDB there is no client security principal propagation from the client. It runs in the container security context not the client. Bean provider or Application Assembler may use annotations or deployment descriptors to set the security context for the message listener methods. Thus you can use the standard tools to detect security context of the method. MessageDrivenContext extends EJBContext.

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Posted: Tue Nov 27, 2012 10:17 am
by rkbansal83
The explaination in the answer
In the MDB there is no client security principal propagation from the client. It runs in the container security context not the client. Bean provider or Application Assembler may use annotations or deployment descriptors to set the security context for the message listener methods. Thus you can use the standard tools to detect security context of the method. MessageDrivenContext extends EJBContext
I am not sure about the statement in bold , is it talking about setting the identity using @RunAs annotation ?

This identity, I believe is used to propagate the security context to other components called from Message listener method.

if we use EJBContext methods like isCallerInRole or getCallerPrincipal in message listener method itself, I believe they will still use the security context of container.

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Posted: Wed Nov 28, 2012 2:25 am
by Christian
There are actually two serious bugs in the explanation:
In the MDB there is no client security principal propagation from the client. It runs in the container security context not the client.

This is not true; according to the EJB 3.1 specification section 5.4.13 Security Context of Message-Driven Mean Methods:
A caller principal may propagate into a message-driven bean’s message listener methods. Whether this occurs is a function of the specific message-listener interface and associated messaging provider, but is not governed by this specification.
Secondly, as stated by rkbansal83, the @RunAs annotation / deployment descriptor is used to propagate the security context to other components called from Message listener method:
See section 17.3.4.1 Run-as:
Establishing a run-as identity for an enterprise bean does not affect the identities of its callers[...]. The run-as identity establishes the identity the enterprise bean will use when it makes calls.
So, it's wrong to say: because bean provider or Application Assembler may use annotations or deployment descriptors to set the security context for the message listener methods, you can use getCallerPrincipal and isCallerInRole in a MDB.

Re: About Question enthuware.oce-ejbd.v6.2.491 :

Posted: Wed Nov 28, 2012 8:04 am
by admin
You are right. This has now been fixed.

thank you for your feedback!
-Paul.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited