Win a copy of TensorFlow 2.0 in Action this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Paul Clapham
  • Bear Bibeault
  • Jeanne Boyarsky
Sheriffs:
  • Ron McLeod
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Jj Roberts
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • salvin francis
  • Scott Selikoff
  • fred rosenberger

Question on using @RunAs annotation

 
Ranch Hand
Posts: 634
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Source:11.3.8. Changing the Invocation Security Role
OCP JavaEE 6 EJB Developer Study Notes by Ivan A Krizsan Version: April 8, 2012


The explanation for the example is given as:

When executing in the StatelessSession1Bean, the name of the principal is "johnny" and the
caller is in the security role "plainusers".

A. The first session bean, StatelessSession1Bean, did not succeed in invoking the
superusersOnlymethod on the second session bean, StatelessSession2Bean.
This is not entirely surprising, as the caller is in the role "plainusers" when executing in the
first session bean
.

B. When executing in the StatelessSession2Bean, the name of the principal has changed to
"runas-superuser" and the caller is neither in the security role "superusers" nor in the role
"plainusers".

C. Remember that we configured a user named "runas-superuser" in the GlassFish server
which belongs to the “super-users” group.
So despite the "runas-superuser" belonging to the same group as the user "ivan", running
with the former principal still does not allow us to invoke the superusersOnlymethod on the
StatelessSession2Bean. This is because the "runas-superuser" is mapped to another security
role, the "runasadmin" role
.

My Understanding:
When mSessionBean1.greeting(theRequestNameParam); is executed from EJBClientServlet,name of the principal is "johnny" and the caller is in the security role "plainusers".
However,when StatelessSession1Bean tries to invoke mSessionBean2.superusersOnly()

Question1: The caller is in the role "plainusers" or "runasadmin" ?
Question2.Statement A states that caller is in role of "plainusers" while the statement C states caller is in "runasadmin" role(See statements in Italics).Aren't the two contradictory ?
 
Mohit G Gupta
Ranch Hand
Posts: 634
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please advise.
 
Bartender
Posts: 1051
5
Hibernate Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A1 runasadmin

A2 When executing StatelessSession2Bean, the principal is changed from johnny to runas-superuser. At this point, the role of the user is changed from plainusers to runasadmin.
 
Mohit G Gupta
Ranch Hand
Posts: 634
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks James for the reply.

A2 When executing StatelessSession2Bean, the principal is changed from johnny to runas-superuser. At this point, the role of the user is changed from plainusers to runasadmin



So,when the following line of code executes in StatelessSession1Bean, the caller is in the role "plainusers" :



However,when the superusersOnly executes in the StatelessSession2Bean,then the caller role changes from "plainusers" to "runasadmin"

Please let me know if I have understood correctly
 
James Boswell
Bartender
Posts: 1051
5
Hibernate Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's pretty much correct. The important thing to remember is that any caller of a method within a class marked with @RunAs annotation will assume the "run as" role.
 
Mohit G Gupta
Ranch Hand
Posts: 634
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks James
 
On top of spaghetti all covered in cheese, there was this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic