• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question on using @RunAs annotation

 
Mohit G Gupta
Ranch Hand
Posts: 634
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Source:11.3.8. Changing the Invocation Security Role
OCP JavaEE 6 EJB Developer Study Notes by Ivan A Krizsan Version: April 8, 2012

The explanation for the example is given as:

When executing in the StatelessSession1Bean, the name of the principal is "johnny" and the
caller is in the security role "plainusers".

A. The first session bean, StatelessSession1Bean, did not succeed in invoking the
superusersOnlymethod on the second session bean, StatelessSession2Bean.
This is not entirely surprising, as the caller is in the role "plainusers" when executing in the
first session bean
.

B. When executing in the StatelessSession2Bean, the name of the principal has changed to
"runas-superuser" and the caller is neither in the security role "superusers" nor in the role
"plainusers".

C. Remember that we configured a user named "runas-superuser" in the GlassFish server
which belongs to the “super-users” group.
So despite the "runas-superuser" belonging to the same group as the user "ivan", running
with the former principal still does not allow us to invoke the superusersOnlymethod on the
StatelessSession2Bean. This is because the "runas-superuser" is mapped to another security
role, the "runasadmin" role
.

My Understanding:
When mSessionBean1.greeting(theRequestNameParam); is executed from EJBClientServlet,name of the principal is "johnny" and the caller is in the security role "plainusers".
However,when StatelessSession1Bean tries to invoke mSessionBean2.superusersOnly()

Question1: The caller is in the role "plainusers" or "runasadmin" ?
Question2.Statement A states that caller is in role of "plainusers" while the statement C states caller is in "runasadmin" role(See statements in Italics).Aren't the two contradictory ?
 
Mohit G Gupta
Ranch Hand
Posts: 634
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please advise.
 
James Boswell
Bartender
Posts: 1051
5
Chrome Eclipse IDE Hibernate
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A1 runasadmin

A2 When executing StatelessSession2Bean, the principal is changed from johnny to runas-superuser. At this point, the role of the user is changed from plainusers to runasadmin.
 
Mohit G Gupta
Ranch Hand
Posts: 634
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks James for the reply.

A2 When executing StatelessSession2Bean, the principal is changed from johnny to runas-superuser. At this point, the role of the user is changed from plainusers to runasadmin


So,when the following line of code executes in StatelessSession1Bean, the caller is in the role "plainusers" :



However,when the superusersOnly executes in the StatelessSession2Bean,then the caller role changes from "plainusers" to "runasadmin"

Please let me know if I have understood correctly
 
James Boswell
Bartender
Posts: 1051
5
Chrome Eclipse IDE Hibernate
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's pretty much correct. The important thing to remember is that any caller of a method within a class marked with @RunAs annotation will assume the "run as" role.
 
Mohit G Gupta
Ranch Hand
Posts: 634
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks James
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic