@RunAsPrinciple doesn't work with MDBs on JBoss-EAP
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 5
- 6
- 7
Issue
- In our test project using MDB with @RunAsPrincipal and checking the caller in the onMessage method, the following always returns null:
Subject caller = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container");
LOG.info("caller = " + caller); // caller is always null
Resolution
-
MessageDrivenBeans don't have a client-visible identity. This means they cannot be invoked directly by an application but the container. The container invokes an MDB when a message arrives at the given MDB's corresponding destination. Hence, there's no authorisation in place for MDBs, the container invokes them being
anonymous. -
The following code would always return "anonymous", when it's placed inside an MDB :
Principal principal = messageDrivenContext.getCallerPrincipal();
principal.getName()
-
The @RunAs/@RunAsPrincipal has zero impact on the MDB, but on the session bean which is invoked inside the
MDB's onMessage(). -
What you're seeing is the expected behaviour. This would only return a non-null value when the user gets authenticated by the container. However, in this case, authentication/authorization isn't applicable for MDBeans for the container is the only component which could access MDBeans, as previously mentioned.
-
However, if you try to obtain the principles associated with the "Subject" inside the session bean, it would return you the expected results. You could see @RunAs/@RunAsPrincipal returning the expected results.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments