Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
JBossAS-4.0.0 Final
-
None
-
None
Description
SourceForge Submitter: mpoindexter .
When an EJB (an entity bean in my case) has a security
domain associated with it, calls to the ejbTimeout
method fail with a SecurityException (insufficient method
permissions). It appears the principal is being hardcoded
to null in the TimedObjectInvoker, causing the security
check to fail in the SecurityInterceptor. I have tried
setting the method permissions for ejbTimeout to
unchecked, but these aren't picked up, possibly because
ejbTimeout is not a member of the bean's local
interface. I think there are two possible fixes:
1) Skip security checking for ejbTimeout in the
SecurityInterceptor (don't think this is much of a
solution since calls made to other beans in the
ejbtimeout method will have no principal associated with
them)
2) Store the current principal with the timer when the
timer is created. When the timer triggers, recall this
principal and set the current principal to the creator of
the timer. I think this seems like the correct solution