Home/ Questions/Q 8602941
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T02:12:30+00:00

I have an anonymous WebService EJB – webservice calls are working poperly. Now I

  • 0

I have an anonymous WebService EJB – webservice calls are working poperly.

Now I want the WebService to RunAs as a specific SecurityRole.

At the Webservice I have following Annotations:

@Stateless
@WebService
@DeclareRoles({ "LoggedUser" })
@SecurityDomain("my-jboss-real")
@RunAs("LoggedUser")
public class MyWebService { ...

Now I want to access a @EJB with @RolesAllowed({"LoggedUser"}) from an Webservice Method there I get:

ERROR [org.jboss.aspects.tx.TxPolicy] javax.ejb.EJBTransactionRolledbackException: javax.ejb.EJBAccessException.message: 'Caller unauthorized'
WARN  [org.jboss.ejb3.stateless.StatelessBeanContext] EJBTHREE-1337: do not get WebServiceContext property from stateless bean context, it should already have been injected
ERROR [org.jboss.ws.core.jaxws.SOAPFaultHelperJAXWS] SOAP request exception
javax.ejb.EJBTransactionRolledbackException: javax.ejb.EJBAccessException.message: 'Caller unauthorized'
        at org.jboss.ejb3.tx.Ejb3TxPolicy.handleInCallerTx(Ejb3TxPolicy.java:115)

I’m running on JBoss 5.1GA

Is this the right use of @RunAs or is there another way to do this.

Edit

Added:

@Resource
private WebServiceContext wsCtx;
@Resource
private EJBContext ejbCtx;

myWebServiceMethod(){
     ...
     System.out.println("EJBCtx: " + ejbCtx.getCallerPrincipal());
     System.out.println("EJBCtx: " + ejbCtx.isCallerInRole("LoggedUser"));
     System.out.println("WebContext: " + wsCtx.getUserPrincipal());
     System.out.println("WebContext: " + wsCtx.isUserInRole("LoggedUser"));
     ...

This Outputs:

EJBCtx: anonymous
EJBCtx: false
WebContext: anonymous
WebContext: false
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    JBoss AS 5 and especially 6 are very buggy with regard to a security context and @RunAs in anything but the most basic usecases.

    A large number of those bugs have been fixed in
    AS 7. You could try to setup a test case there and see if you run into the same issue.

    Do realize that @RunAs does not apply to the code that runs in the bean on which the annotation is applied. Instead, it only applies to beans that are called -from- that bean. You could think of it as the “outgoing/outbound” role.

    More troublesome is that Java EE has a serious ommission and that’s that there is no way to also define a RunAs identity. Some servers don’t react well when you define a RunAs role for the “unauthenticated” identity. JBoss has a proprietary annotation for the RunAs identify. You might want to try if this takes you a step further.

    • 0