my dog learned polymorphism*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Question on using @RunAs annotation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Question on using @RunAs annotation" Watch "Question on using @RunAs annotation" New topic
Author

Question on using @RunAs annotation

Mohit G Gupta
Ranch Hand

Joined: May 18, 2010
Posts: 634

Source:11.3.8. Changing the Invocation Security Role
OCP JavaEE 6 EJB Developer Study Notes by Ivan A Krizsan Version: April 8, 2012

The explanation for the example is given as:

When executing in the StatelessSession1Bean, the name of the principal is "johnny" and the
caller is in the security role "plainusers".

A. The first session bean, StatelessSession1Bean, did not succeed in invoking the
superusersOnlymethod on the second session bean, StatelessSession2Bean.
This is not entirely surprising, as the caller is in the role "plainusers" when executing in the
first session bean
.

B. When executing in the StatelessSession2Bean, the name of the principal has changed to
"runas-superuser" and the caller is neither in the security role "superusers" nor in the role
"plainusers".

C. Remember that we configured a user named "runas-superuser" in the GlassFish server
which belongs to the “super-users” group.
So despite the "runas-superuser" belonging to the same group as the user "ivan", running
with the former principal still does not allow us to invoke the superusersOnlymethod on the
StatelessSession2Bean. This is because the "runas-superuser" is mapped to another security
role, the "runasadmin" role
.

My Understanding:
When mSessionBean1.greeting(theRequestNameParam); is executed from EJBClientServlet,name of the principal is "johnny" and the caller is in the security role "plainusers".
However,when StatelessSession1Bean tries to invoke mSessionBean2.superusersOnly()

Question1: The caller is in the role "plainusers" or "runasadmin" ?
Question2.Statement A states that caller is in role of "plainusers" while the statement C states caller is in "runasadmin" role(See statements in Italics).Aren't the two contradictory ?


OCPJP 6.0 93%
OCPJWCD 5.0 98%
Mohit G Gupta
Ranch Hand

Joined: May 18, 2010
Posts: 634

Please advise.
James Boswell
Bartender

Joined: Nov 09, 2011
Posts: 1012
    
    5

A1 runasadmin

A2 When executing StatelessSession2Bean, the principal is changed from johnny to runas-superuser. At this point, the role of the user is changed from plainusers to runasadmin.
Mohit G Gupta
Ranch Hand

Joined: May 18, 2010
Posts: 634

Thanks James for the reply.

A2 When executing StatelessSession2Bean, the principal is changed from johnny to runas-superuser. At this point, the role of the user is changed from plainusers to runasadmin


So,when the following line of code executes in StatelessSession1Bean, the caller is in the role "plainusers" :



However,when the superusersOnly executes in the StatelessSession2Bean,then the caller role changes from "plainusers" to "runasadmin"

Please let me know if I have understood correctly
James Boswell
Bartender

Joined: Nov 09, 2011
Posts: 1012
    
    5

That's pretty much correct. The important thing to remember is that any caller of a method within a class marked with @RunAs annotation will assume the "run as" role.
Mohit G Gupta
Ranch Hand

Joined: May 18, 2010
Posts: 634

Thanks James
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Question on using @RunAs annotation
 
Similar Threads
caller principal question from spec
@RunAs Application
run-as related question
Security - Principal & run-as-identity
MDB: problem using group as principal name when using @RunAs annotation