I created a patch for Bug 558362 (sfsb loses security
on passivate). This patch resolves the follwing issues
for Stateful Session Beans:
1. The security identity was lost when accessing
another EJB from ejbPassivate() (Bug 558362).
2. A java.lang.IllegalStateException was thrown when
calling SessionContext.getCallerPrincipal() in
3. RunAs Security identity did not work when calling
another EJB from ejbActivate(), ejbPassivate(),
afterBegin() or beforeCompletion().
According to the EJB 2.0 Specification, Table 2 (Page
80), it's legal to access another EJB from
ejbActivate(), ejbPassivate(), afterBegin() or
beforeCompletion(). Therefore, IMHO, the security
identity should be propagated correctly to the called
bean. The spec allows also to call getCallerPrincipal()
on the SessionContext object in ejbActivate().
This is my first contribution to JBoss and I'm
everything else than an expert for the architecture of
JBoss. Therefore, this patch might not be the perfect
solution. I hope that it will at least help anyone else
to find the perfect solution.
To achive the correct behaviour for the ejbPassivate()
method, i saw no other possibility than to safe the
client credential on the stateful session bean's
context. The client credential is required for the
method permission checks on EJB calls and the
ejbPassivate() method is not called as a result of a
client call. Therefore, the credential must be safed
between method calls.
Here is a short description of the changes a made:
- credential attribute added
- runAs role set for passivation and activation
- correct principal and credentail set before passivating
- principal and credential safed to the context on
- runAs role set for afterBegin() and beforeCompletion()
- credential safed to the context on invocation (in
addition to the principal)
As this is my first contribution to JBoss, please tell
me if i made any mistakes.