I am unable to grasp the @RunAs concept in EJB security. Lets say, If I put a @RunAs("Admin") above a method in an EJB then won't I be allowing "Admin" access to any kind of user, since I am mentioning the method to use "Admin" privileges no matter what the propagated principal is?
I don't think there's any security issue. The bean role will be changed, but not the caller's. Even if you set a @RunAs("admin") at the method, it doesn't mean that anybody can call it. It means that methods called by this bean will see the it as being an admin.
Ok, So if I say that if a method of a bean makes an internal call to the method which has been declared @RunAs("Admin") then it can access the method's functionality even though the principal is different. Is it right?
I'd rather say : if a bean which has been declared @RunAs("Admin") makes an internal call to a method which is configured to be access by the Admin role, then it can access that method's functionality even though the principal is different.
There's no security violation, but you have to be careful when using this annotation, as you could unintentionaly give access to some functionality which should usually be not accessible unless the user is assigned to a high level role.
By the way, @RunAs is set on a bean, not on methods.