Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 49057 invoked from network); 5 Mar 2007 15:12:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Mar 2007 15:12:14 -0000 Received: (qmail 17607 invoked by uid 500); 5 Mar 2007 15:12:20 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 17550 invoked by uid 500); 5 Mar 2007 15:12:20 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 17539 invoked by uid 99); 5 Mar 2007 15:12:20 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Mar 2007 07:12:20 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Mar 2007 07:12:10 -0800 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id ADDE4714330 for ; Mon, 5 Mar 2007 07:11:50 -0800 (PST) Message-ID: <13300471.1173107510700.JavaMail.jira@brutus> Date: Mon, 5 Mar 2007 07:11:50 -0800 (PST) From: "Aman Nanner (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Commented: (GERONIMO-2868) Message Driven Beans will not run under the specified "run-as" Subject In-Reply-To: <6574300.1172161925502.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-2868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12478063 ] Aman Nanner commented on GERONIMO-2868: --------------------------------------- {quote} this is correct behavior, strangely enough. run-as does not affect the identity of the caller in the called bean, but only the identity used for calls made to other ejbs. I think what you want is a default subject under which the call into the mdb is made. I don't think we have such a thing. What I suspect you actually want is for the identity of the caller to be transmitted with the jms message. I tried and failed to convince the j2ca spec committee to include this feature. {quote} Hmm...I am confused now. So you are saying that when specifying a subject in the MDB deployment descriptor, we are not specifying the subject that the MDB shall run under, but rather the subject that any beans called by the MDB will run under? We use this same deployment descriptor for JBoss and Weblogic, and they interpret it as running the MDB under the subject. > Message Driven Beans will not run under the specified "run-as" Subject > ---------------------------------------------------------------------- > > Key: GERONIMO-2868 > URL: https://issues.apache.org/jira/browse/GERONIMO-2868 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: OpenEJB, security > Affects Versions: 1.2 > Reporter: Aman Nanner > Attachments: mdb-run-as.patch > > > If a message driven bean is configured with a "run-as" element, it is being ignored and the message driven bean is not run as the specified Subject. The MDB would be configured in the ejb-jar.xml as follows: > ---- > > TestMDB > TestMDB > com.acme.ejb.TestMDB > Bean > javax.jms.Topic > > > acknowledgeMode > Auto-acknowledge > > > messageSelector > JOB_CODE = > 'FOO' > > > subscriptionDurability > NonDurable > > > > ejb/common/TestEJB > Session > com.acme.ejb.TestHome > com.acme.ejb.TestRemote > TestEJB > > > > TESTROLE > > > > ---- > Upon inspection of the org.apache.openejb.mdb.DefaaultMdbContainer class, it is noted that the EjbRunAsInterceptor is not configured as part of the invocation step (as it is in org.apache.openejb.slsb.DefaultStatelessEjbContainer). Therefore, the run-as Subject is never being set as part of the Caller stack. > I added the EjbRunAsInterceptor into the invocation stack and rebuilt Geronimo, but this didn't completely fix the problem. The EjbRunAsInterceptor is now being called, and the Subject is being set as the "next" caller in the ContextManager's caller stack. However, the EjbIdentityInterceptor runs next, and authorizes the invocation under the "current" caller, not the "next" caller. Thus, the run-as Subject does NOT perform the invocation. > I'm not sure what the best way is to fix this without impacting everything else. If somebody with more knowledge in this area has a good idea, I can try it and submit a patch. > Also note that this problem seems to imply that the "run-as" functionality wouldn't work with session EJBs either (I haven't tried to verify this). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.