Details
-
Bug
-
Resolution: Done
-
Major
-
7.1.0.CR1b
Description
When getCallerPrincipal is called from within a timeout callback method, JBoss AS either throws an exception or returns the unauthenticated identity, but with the roles of the principal that scheduled the timer (if any).
Per section 18.2.5.3 of the EJB 3.1 specification this is not correct:
Since a timeout callback method is an internal method of the bean class, it has no client security context. When getCallerPrincipal is called from within a timeout callback method, it returns the container's representation of the unauthenticated identity.
EJBTHREE-1036 seems related.