Why does JBoss EAP 6 ignore the @RunAs/@RunAsPrincipal annotations on @Startup/@Singleton beans?
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.1.x
- 6.0.x
Issue
Why does JBoss EAP 6 ignore the @RunAs/@RunAsPrincipal annotations on @Startup/@Singleton beans?
Resolution
Update to JBoss EAP 6.2 or later.
The spec does not require these methods to use the run-as identity, however it has been added in JBoss EAP 6.2.0
The workaround for JBoss EAP 6.0.x / 6.1.x is to programmatically establish a security context within the Startup bean's methods that are invoking the secured EJB. This can be accomplished using the approaches described in A10 and A23 of the JBoss Security FAQ.
The SecurityClient.setJAAS() approach shown in A10 and the approach described in A23 depend on a "client-login" security-domain existing that is configured to use the ClientLoginModule. Here is what the "client-login" security-domain would look like:
<security-domain name="client-login" cache-type="default">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
</authentication>
</security-domain>
The ClientLoginModule will not verify the user's credentials, it will simply create a security context using those credentials. The credentials will be verified when the secured EJB is invoked.
Root Cause
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.