Reputation: 2367
EJB3 @RunAs annotation and security
The @RunAs annotation allows to access the bean by specifying role's name only. This is implies that any foreign client able to easily access my bean just pointing the role name, isn't it?
I suppose that the caller and bean locate on different servers.
So what is @RunAs needed for, if it is so easy to falsify the client? Or how to use this correctly, if i'm wrong?
Upvotes: 1
Views: 1781
Answers (1)
Reputation: 18020
It is a bit different. See Chapter 9.6 in WebSphere Application Server V7.0 Security Guide for more details and examples.
When a bean calls a method in another bean, the identity of the caller is, by default, propagated to the next. In this way, all EJB methods in the calling chain see the same principal if they were to call the getCallerPrincipal() method.
Occasionally, however, it is desirable for one EJB to call another EJB with a previously defined identity, for instance, one that is a member of a specific role.
The @RunAs annotation defines the role that will be used for delegation. You can still protect the first bean using @RolesAllowed
This runAsRole must be mapped to actual user from user registry during application deployment.
Upvotes: 2
Related Questions
- EJBInvokerServlet / JMXInvokerServlet
- What is the use of @RunAs javax security annotation?
- Configuring EJB security on Weblogic
- Roles Based Security for EJB deployed on Weblogic
- How do you preform an EJB lookup with application security?
- Using Spring Security with EJB or Spring?
- Using @RunAs between a servlet and an EJB
- Adding custom context information to EJB method calls
- Spring Security with EJBs
- Jboss5, unauthenticated calls to secured EJB via @RunAs