About Question enthuware.oce-ejbd.v6.2.533 :

Moderator: admin

Post Reply
dfigueira
Posts: 21
Joined: Thu May 05, 2016 2:50 am
Contact:

About Question enthuware.oce-ejbd.v6.2.533 :

Post by dfigueira »

Hi,

I'm not clear about the sentence:

"If the security identity has not been established getCallerPrincipal() will return a non-null principal that corresponds to container’s representation of the unauthenticated identity."

But as the specification describes, the getCallerPrincipal() corresponds to the caller principal and not the run-as principal, if any, so the MDB caller will be the container and the caller would be something as "ANONYMOUS" or not-null.

I am not sure If the security identity can, in fact, be established to a MDB call.

Regards,
DF

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.533 :

Post by admin »

Can you tell me where the specification says what you have quoted, "But as the specification describes, the getCallerPrincipal() corresponds to the caller principal and not the run-as principal, if any, so the MDB caller will be the container and the caller would be something as "ANONYMOUS" or not-null."

The statement given in the explanation is not talking about run-as principal either. It is talking about whatever principal corresponds to "container’s representation of the unauthenticated identity", which could by anonymous also. Depends on the container.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

dfigueira
Posts: 21
Joined: Thu May 05, 2016 2:50 am
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.533 :

Post by dfigueira »

Section 17.2.5.1 from the spec.

"Note that getCallerPrincipal returns the principal that represents the caller of the enterprise bean, not the principal that corresponds to the run-as security identity for the bean, if any."

Anyway, regarding your answer, there is no security identity to be established for a MDB because they are called from the container is it true?

Regards,
DF

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.533 :

Post by admin »

No, as per Section 5.4.13:
A caller principal may propagate into a message-driven bean’s message listener methods. Whether this occurs is a function of the specific message-listener interface and associated messaging provider, but is not governed by this specification.
The Bean Provider can use the @RunAs metadata annotation (or corresponding deployment descriptor element) to define a run-as identity for the enterprise bean. The run-as identity applies to the bean’s message listener methods and timeout methods.
Thus, the getCallerPrincipal will not return null but whatever it returns depends on how the container implements this feature.

Hope this is clear.
If you like our products and services, please help us by posting your review here.

dfigueira
Posts: 21
Joined: Thu May 05, 2016 2:50 am
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.533 :

Post by dfigueira »

It is clear what you transcript from the spec but it is not in accordance with your justification in the question:
A caller principal may propagate into a message-driven bean’s message listener methods. Whether this occurs is a function of the specific message-listener interface and associated messaging provider, but is not governed by this specification.
It is possible for some JMS provider implementation but is not governed by this specification and is not even a requirement.
The Bean Provider can use the @RunAs metadata annotation (or corresponding deployment descriptor element) to define a run-as identity for the enterprise bean. The run-as identity applies to the bean’s message listener methods and timeout methods.
The Bean Provider can set roles for the MDB methods to call other methods.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.oce-ejbd.v6.2.533 :

Post by admin »

I am not sure where is "RunAs" getting into picture here. The sentence that you quoted in your first post, "If the security identity has not been established getCallerPrincipal() will return a non-null principal that corresponds to container’s representation of the unauthenticated identity.", is correct. This sentence is not talking about RunAs. It is talking about "container’s representation of the unauthenticated identity". So I am not sure why you think it is incorrect or not clear.

HTH,
Paul.
If you like our products and services, please help us by posting your review here.

Post Reply

Who is online

Users browsing this forum: No registered users and 25 guests