Enthuware

Could you please clarify this for me? The provided answer states that "the caller's identity propagates to the target bean". We can, on the other hand, specify @RunAs, and then the container will supply another principal as the target bean's caller.

Do you mean to say that even when running under @RunAs, the target bean can obtain the caller's "true" identity?

If you specify @RunAs, then caller identity becomes the one specified in RunAs, which is what is passed on to the target bean.

But I think it should be made clear in the question to avoid this confusion.

thank you for your feedback!

I am looking forward to the new phrasing.

Just want to check my understanding: suppose we have a user WebUser calling the bean method WebBean.doIt(), which in its turn calls BackBean.doItYourself(). If BackBean is marked with @RunAs("BackUser"), it will receive BackUser as its principal. And from within WebBean.doIt() I don't even have an easy way to find out the name of BackUser, nor can I find the name of WebUser from inside BackBean. Is this correct? Doesn't sound like "propagation" to me.

Guest wrote:I am looking forward to the new phrasing.

Just want to check my understanding: suppose we have a user WebUser calling the bean method WebBean.doIt(), which in its turn calls BackBean.doItYourself(). If BackBean is marked with @RunAs("BackUser"), it will receive BackUser as its principal. And from within WebBean.doIt() I don't even have an easy way to find out the name of BackUser, nor can I find the name of WebUser from inside BackBean. Is this correct? Doesn't sound like "propagation" to me.

No, BackBean receives original user but it runs as BackUser, so if BankBean calls another BackBackBean, then BackBackBean will receive BackUser instead of the original user.

Propagation of the original caller role is the default behavior. If you want to override it, the specification allows you to do that using @RunAs.

HTH,
Paul.