aspose file tools*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Is this security violation? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Is this security violation?" Watch "Is this security violation?" New topic
Author

Is this security violation?

nitin pai
Ranch Hand

Joined: May 30, 2006
Posts: 185
I am unable to grasp the @RunAs concept in EJB security. Lets say, If I put a @RunAs("Admin") above a method in an EJB then won't I be allowing "Admin" access to any kind of user, since I am mentioning the method to use "Admin" privileges no matter what the propagated principal is?



Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

I don't think there's any security issue. The bean role will be changed, but not the caller's. Even if you set a @RunAs("admin") at the method, it doesn't mean that anybody can call it. It means that methods called by this bean will see the it as being an admin.


[My Blog]
All roads lead to JavaRanch
nitin pai
Ranch Hand

Joined: May 30, 2006
Posts: 185
Thanks, Christophe.

Ok, So if I say that if a method of a bean makes an internal call to the method which has been declared @RunAs("Admin") then it can access the method's functionality even though the principal is different. Is it right?
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

I'd rather say : if a bean which has been declared @RunAs("Admin") makes an internal call to a method which is configured to be access by the Admin role, then it can access that method's functionality even though the principal is different.

There's no security violation, but you have to be careful when using this annotation, as you could unintentionaly give access to some functionality which should usually be not accessible unless the user is assigned to a high level role.

By the way, @RunAs is set on a bean, not on methods.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Is this security violation?
 
Similar Threads
@RunAs Application
Security for MDB
JAAS In WebSphere
MDB: problem using group as principal name when using @RunAs annotation
@RunAS