[JBPAPP-5476] An EJB invocation with runas-identity causes that runas-identity to be used for all invocations of that EJB - JBoss Issue Tracker

XML

Word

Printable

Affects:

Release Notes
Release Notes Text:

Hide
A bug in org.jboss.ejb.plugins.SecurityInterceptor caused problems with setting the runas-identity context method invocation on stateless session EJBs that were not originally runas-deployed.
Invocations used the identity of any authenticated context sent to the EJB, which resulted in invocations being executed as if the EJB was runas-deployed.
The only way to stop this behavior was to restart the server.
SecurityInterceptor now looks at the run-as role of the original EJB, and ensures that runAsRole is available to any calls made by the EJB for declarative security checks.

Show
A bug in org.jboss.ejb.plugins.SecurityInterceptor caused problems with setting the runas-identity context method invocation on stateless session EJBs that were not originally runas-deployed. Invocations used the identity of any authenticated context sent to the EJB, which resulted in invocations being executed as if the EJB was runas-deployed. The only way to stop this behavior was to restart the server. SecurityInterceptor now looks at the run-as role of the original EJB, and ensures that runAsRole is available to any calls made by the EJB for declarative security checks.
Release Notes Docs Status:
Documented as Resolved Issue

Need to backport ~~JBAS-8600~~ to EAP5 branch.

incorporates

JBAS-8600 An EJB invocation with runas-identity causes that runas-identity to be used for all invocations of that EJB