JBoss.org Community Documentation
An EJB has the capability to specify what identity an EJB should use when it invokes methods on other components using the security-identity
element, shown in Figure 8.2, “The security-identity element”
The invocation identity can be that of the current caller, or it can be a specific role. The application assembler uses the security-identity
element with a use-caller-identity
child element to indicate that the current caller's identity should be propagated as the security identity for method invocations made by the EJB. Propagation of the caller's identity is the default used in the absence of an explicit security-identity
element declaration.
Alternatively, the application assembler can use the run-as/role-name
child element to specify that a specific security role given by the role-name
value should be used as the security identity for method invocations made by the EJB. Note that this does not change the caller's identity as seen by the EJBContext.getCallerPrincipal()
method. Rather, the caller's security roles are set to the single role specified by the run-as/role-name
element value. One use case for the run-as
element is to prevent external clients from accessing internal EJBs. You accomplish this by assigning the internal EJB method-permission
elements that restrict access to a role never assigned to an external client. EJBs that need to use internal EJB are then configured with a run-as/role-name
equal to the restricted role. The following descriptor fragment that illustrates security-identity
element usage.
<!-- A sample ejb-jar.xml fragment --> <ejb-jar> <enterprise-beans> <session> <ejb-name>ASessionBean</ejb-name> <!-- ... --> <security-identity> <use-caller-identity/> </security-identity> </session> <session> <ejb-name>RunAsBean</ejb-name> <!-- ... --> <security-identity> <run-as> <description>A private internal role</description> <role-name>InternalRole</role-name> </run-as> </security-identity> </session> </enterprise-beans> <!-- ... --> </ejb-jar>
When you use run-as
to assign a specific role to outgoing calls, JBoss associates a principal named anonymous
. If you want another principal to be associated with the call, you need to associate a run-as-principal
with the bean in the jboss.xml
file. The following fragment associates a principal named internal
with RunAsBean
from the prior example.
<session> <ejb-name>RunAsBean</ejb-name> <security-identity> <run-as-principal>internal</run-as-principal> </security-identity> </session>
The run-as
element is also available in servlet definitions in a web.xml
file. The following example shows how to assign the role InternalRole
to a servlet:
<servlet> <servlet-name>AServlet</servlet-name> <!-- ... --> <run-as> <role-name>InternalRole</role-name> </run-as> </servlet>
Calls from this servlet will be associated with the anonymous principal
. The run-as-principal
element is available in the jboss-web.xml
file to assign a specific principal to go along with the run-as
role. The following fragment shows how to associate a principal named internal
to the servlet in the prior example.
<servlet> <servlet-name>AServlet</servlet-name> <run-as-principal>internal</run-as-principal> </servlet>