geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Message-Driven Beans with run-as Subject
Date Mon, 19 Feb 2007 18:50:24 GMT
It looks to me as if the mdb interceptor stack is missing the  
EJBRunAsInterceptor which would mean that run-as wouldn't work.  I'm  
also not seeing how any Subject such as the default subject is set  
for an mdb call.  So I think there's a bug (would rather check the  
spec to make sure it's supposed to work before definitely declaring a  
bug).  Since you can't import security with an mdb from the inbound  
message I'd think you could get almost the same result by making the  
default subject for the mdb call your run-as subject, and this might  
work, but I can't figure out if or how that's being set.

If you would like to experiment you might compare the ejb containers  
and modify the mdb one to include the EJBRunAsInterceptor at a likely  
spot and see if it works.

thanks
david jencks

On Feb 19, 2007, at 9:10 AM, Aman Nanner/MxI Technologies wrote:

>
> Hi,
>
>
> One Geronimo 1.2-beta, I'm running into a problem where a message- 
> driven
> bean that I have is unable to access a stateless session EJB that I  
> have,
> due to method permission restrictions.  This MDB is configured with a
> "run-as" subject in the ejb-jar.xml which is supposed to allow it  
> to access
> this restricted EJB.  I have the MDB configured similar to the  
> following:
>
> ----
>       <message-driven>
>          <display-name>TestMDB</display-name>
>          <ejb-name>TestMDB</ejb-name>
>          <ejb-class>com.acme.ejb.TestMDB</ejb-class>
>          <transaction-type>Bean</transaction-type>
>
> <message-destination-type>javax.jms.Topic</message-destination-type>
>          <activation-config>
>             <activation-config-property>
>
> <activation-config-property-name>acknowledgeMode</activation-config- 
> property-name>
>
> <activation-config-property-value>Auto-acknowledge</activation- 
> config-property-value>
>             </activation-config-property>
>             <activation-config-property>
>
> <activation-config-property-name>messageSelector</activation-config- 
> property-name>
>                <activation-config-property-value>JOB_CODE =
> 'FOO'</activation-config-property-value>
>             </activation-config-property>
>             <activation-config-property>
>
> <activation-config-property-name>subscriptionDurability</activation- 
> config-property-name>
>
> <activation-config-property-value>NonDurable</activation-config- 
> property-value>
>             </activation-config-property>
>          </activation-config>
>          <ejb-ref>
>             <ejb-ref-name>ejb/common/TestEJB</ejb-ref-name>
>             <ejb-ref-type>Session</ejb-ref-type>
>             <home>com.acme.ejb.TestHome</home>
>             <remote>com.acme.ejb.TestRemote</remote>
>             <ejb-link>TestEJB</ejb-link>
>          </ejb-ref>
>          <security-identity>
>             <run-as>
>                <role-name>TESTROLE</role-name>
>             </run-as>
>          </security-identity>
>       </message-driven>
> ----
>
> Can anybody confirm if the "run-as" functionality for MDBs works as  
> it's
> supposed to in Geronimo 1.2-beta?  Am I supposed to make a further
> configuration to one of the geronimo or openejb descriptors, in  
> addition to
> the ejb-jar.xml?
>
> Through some debugging in Eclipse, I've found that the "run-as"  
> subject
> does get loaded into the MDB Deployment Context as described, but I  
> haven't
> confirmed if it actually gets set as the Subject for the context.
>
> Thanks,
> Aman
>
> ______________________________________________________________________ 
> ____________
> * This message is intended only for the use of the individual or  
> entity to which it is addressed, and may contain information that  
> is privileged, confidential and exempt from disclosure under  
> applicable law. Unless you are the addressee (or authorized to  
> receive for the addressee), you may not use, copy or disclose the  
> message or any information contained in the message. If you have  
> received this message in error, please advise the sender by reply e- 
> mail , and delete the message, or call (collect) 001 613 747 4698. *
>


Mime
View raw message