File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Confusion with Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Confusion with "run-as" security identity" Watch "Confusion with "run-as" security identity" New topic

Confusion with "run-as" security identity

krithika desai
Ranch Hand

Joined: Apr 02, 2003
Posts: 33
I had some questions on this:
1.When w'd i use this?
2.What role s'd be assigned to the principal that executes this method? S'd it be the same as the one we specify in the <role> element?
3.Does it mean that the bean w'd throw an exception when executed by a Principal that does not belong to this role?
The spec also says that this does not affect the identities of the caller.
Does that mean that the caller (ie Prnicipal) need not belong to the role required by run-as ?
confused :-(

thanks,<br />krithika
krithika desai
Ranch Hand

Joined: Apr 02, 2003
Posts: 33
I think it's a little clearer now.
We can define method permissions on a bean which has "run-As" security identity specified.
But If i make a call from one those methods to another bean then the principal that gets propogated to the other bean is not that of the client (caller).
Page 447:
"The deployer then assigns a security principal defined in the operational environment to be used as the principal for the run-as identity"
How w'd i do this?
Say i have a security identity like this
run-As --> "Administrator"

And say i have 3 principals assigned to "Administrator"
They all are "Administrator"s
Which is the principal that gets used when executing the method.
I do understand that if i do a
getPrincipal() inside one of those methods it wont be one of these 3! but the principal(ie the client) that actually executed this method in the first place.
thanks again.
Andrew Perepelytsya
Ranch Hand

Joined: Aug 21, 2002
Posts: 93
I guess you should view it as follows:
the AdminBean is has a secured access available only to Administrator role.
the principals get checked when you call any method of AdminBean.
all beans and resource called by the AdminBean will see only the role from <run-as>.
I agree. Here's the link:
subject: Confusion with "run-as" security identity
It's not a secret anymore!