diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java index 839ba3473fb8..ba94eaf64d2f 100644 --- a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java +++ b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java @@ -122,6 +122,7 @@ public Principal run() { }; private final SecurityDomain securityDomain; + private SecurityIdentity incomingRunAsIdentity; /** * Construct a new instance. @@ -175,6 +176,7 @@ protected EJBComponent(final EJBComponentCreateService ejbComponentCreateService this.exceptionLoggingEnabled = ejbComponentCreateService.getExceptionLoggingEnabled(); this.securityDomain = ejbComponentCreateService.getSecurityDomain(); + this.incomingRunAsIdentity = null; } protected T createViewInstanceProxy(final Class viewInterface, final Map contextData) { @@ -259,7 +261,7 @@ public ApplicationExceptionDetails getApplicationException(Class exceptionCla public Principal getCallerPrincipal() { if (isSecurityDomainKnown()) { - return securityDomain.getCurrentSecurityIdentity().getPrincipal(); + return (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity().getPrincipal() : incomingRunAsIdentity.getPrincipal(); } else if (WildFlySecurityManager.isChecking()) { return WildFlySecurityManager.doUnchecked(getCaller); } else { @@ -267,6 +269,14 @@ public Principal getCallerPrincipal() { } } + public SecurityIdentity getIncomingRunAsIdentity() { + return incomingRunAsIdentity; + } + + public void setIncomingRunAsIdentity(SecurityIdentity identity) { + this.incomingRunAsIdentity = identity; + } + protected TransactionAttributeType getCurrentTransactionAttribute() { final InterceptorContext invocation = CurrentInvocationContext.get(); @@ -404,7 +414,7 @@ public boolean isBeanManagedTransaction() { public boolean isCallerInRole(final String roleName) throws IllegalStateException { if (isSecurityDomainKnown()) { - final SecurityIdentity identity = securityDomain.getCurrentSecurityIdentity(); + final SecurityIdentity identity = (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity() : incomingRunAsIdentity; return "**".equals(roleName) ? ! (identity.getPrincipal() instanceof AnonymousPrincipal) : identity.getRoles("ejb", true).contains(roleName); } else if (WildFlySecurityManager.isChecking()) { return WildFlySecurityManager.doUnchecked(new PrivilegedAction() { diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java b/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java index 657d96d22987..4cb0f94297f9 100644 --- a/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java +++ b/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java @@ -22,6 +22,9 @@ package org.jboss.as.ejb3.security; +import org.jboss.as.ee.component.Component; +import org.jboss.as.ejb3.component.EJBComponent; +import org.jboss.as.ejb3.logging.EjbLogger; import org.jboss.invocation.Interceptor; import org.jboss.invocation.InterceptorContext; import org.wildfly.common.Assert; @@ -39,9 +42,23 @@ public RunAsPrincipalInterceptor(final String runAsPrincipal) { } public Object processInvocation(final InterceptorContext context) throws Exception { + final Component component = context.getPrivateData(Component.class); + if (component instanceof EJBComponent == false) { + throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class); + } + final EJBComponent ejbComponent = (EJBComponent) component; + + // Set the incomingRunAsIdentity before switching users final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class); Assert.checkNotNullParam("securityDomain", securityDomain); - final SecurityIdentity newIdentity = securityDomain.getCurrentSecurityIdentity().createRunAsIdentity(runAsPrincipal); - return newIdentity.runAs(context); + final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); + final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity(); + try { + final SecurityIdentity newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal); + ejbComponent.setIncomingRunAsIdentity(currentIdentity); + return newIdentity.runAs(context); + } finally { + ejbComponent.setIncomingRunAsIdentity(oldIncomingRunAsIdentity); + } } }