Chapter 115. run-as

115.1. Default security-identity: use-caller-identity
115.2. Run-as security-identity: role-name
115.3. Run-as principal: identity
115.4. Invoking Protected EJB thru Run-as Proxy
115.5. Summary

No caller context
Elevate access
Run-as role-name and identity

115.1. Default security-identity: use-caller-identity

security-identity of bean defaults to caller identity

115.2. Run-as security-identity: role-name

import javax.annotation.security.RunAs;


@Stateless

@PermitAll

@RunAs("admin")

public class SecurePingClientEJB 

    implements SecurePingClientRemote, SecurePingClientLocal {

    @EJB(lookup="ejb:securePingEAR/securePingEJB/SecurePingEJB!info.ejava.examples.secureping.ejb.SecurePingRemote")

    SecurePingRemote securePingServer;

EJB can discard caller's identity/roles and run-as a specific role

@RunAs uses roleName and not userName

Provide the roleName (e.g., "admin") you wish the method to execute with and *not* the userName (e.g., "admin1") when using the @RunAs annotation.

115.3. Run-as principal: identity


# jboss-web.xml

<assembly-descriptor>

    <sec:security>

        <ejb-name>*</ejb-name>

        <sec:security-domain>other</sec:security-domain>

        <sec:run-as-principal>admin1</sec:run-as-principal>

    </sec:security>

</assembly-descriptor>

Specifies specific user-identity to run-as
Vendor-specific

Use JBoss Annotations or jboss-ejb3.xml for caller identity

Use jboss-ejb3.xml elements to define caller identity if overriding or supplying caller identity. Otherwise caller identity will be blank.

115.4. Invoking Protected EJB thru Run-as Proxy

Method invoked as "user1" with role "user"

runAs(userLogin);

logger.info(securePing.pingAdmin());

Method configured to execute with "admin" role

@RunAs("admin")

public String pingAdmin() {        

    return securePingServer.pingAdmin();

}

Method successfully invokes second EJB method requiring "admin" role

-looking up jndi.name=ejb:securePingClientEAR/securePingClientEJB/SecurePingClientEJB
   !info.ejava.examples.secureping.ejb.SecurePingClientRemote as user1
-found=Proxy for remote EJB StatelessEJBLocator for 
  "securePingClientEAR/securePingClientEJB/SecurePingClientEJB", 
  view is interface info.ejava.examples.secureping.ejb.SecurePingClientRemote, affinity is None

-login=[user1, password1!], whoAmI=user1
-securePingClient called pingAdmin, principal=user1,   <== output from EJB
                                    isUser=true,                  invoked by client
                                    isAdmin=false, 
                                    isInternalRole=false:
       securePing=called pingAdmin, principal=admin1,  <== output from EJB
                                    isUser=false,                 invoked by @RunAs EJB 
                                    isAdmin=true, 
                                    isInternalRole=true

user1 is allowed to call method restricted to admin when proxied by run-as EJB
proxy EJB sees caller as user1 and having user1 assigned roles
proxied EJB sees caller as admin1 and only having assigned admin role

115.5. Summary

Specifying Run-as Role and Identity
Useful for MDBs and EJBTimer callbacks when no client context
Useful to elevate access