Why does switching users between local ejb calls not work when the call originates from a remote client?
Issue
Why does switching users between local ejb calls not work when the call originates from a remote client? Both ejbs are on the same JBoss instance.
The use case looks like the following:
remote standalone client ---> unsecured ejb3 (switch user here) -> secured ejb3
I tried to use both approaches outlined in Q10/A10 of the JBoss Security FAQ [1] in order to establish a security context in the unsecured ejb that should be used to invoke the secured ejb. Neither approach worked in my testing.
When the same unsecured ejb is called from a web application (secured or unsecured), then the user switching works correctly.
The ejb security code appears to work differently based on the client type (standalone remote ejb client vs a web application).
I believe this is happening because the org.jboss.as.security.service.SimpleSecurityManager.push method (called by the SecurityContextInterceptor) is checking for an existing RemotingContext and grabbing the security context from there even though the security context that should be used appears to be getting
propagated correctly.
Environment
- JBoss Enterprise Application Platform (EAP)
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
