@RunAs注释在Servlet上的使用

Question

I have a simple question about @RunAs.

Besides an EJB, can I use @RunAs on a Servlet to propagate security role? for example as:

I have a public servlet:

@WebServlet(name = "RunAsServlet", urlPatterns = "/runAs")
@RunAs("Admin")
public class RunAsServlet extends HttpServlet {

@EJB
private MyEjb ejb;

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.getWriter().write(ejb.doSomething());
    }
}

And the an EJB is protected under role "Admin":

@Stateless
@RolesAllowed("Admin")
public class MyEjb {

@Resource
private SessionContext sessionContext;

public String doSomething() {

In this case, I should be able to call the RunAsServlet since the @RunAs is on it, it shall have the proper role "Admin" to call the EJB protected method from web request, Am I right about this example? Or I need other more configuration?

Thanks,

Answer 1

You need to map specific user to the roleOnServlet role and this user must be also in Admin role. Either it is a typo or you have 2 different roles roleOnServlet != Admin . Usually one use the same role name in servlet as in EJB that must be called. As in your case although servlet will be running as user in roleOnServlet role, he doesn't necessary have to be in the Admin role at the same time, which will lead to error.

@RunAs is not changing the current user to have that role, but is using separate user, which must be one of the users mapped to the roleOnServlet role.

Mapping of the user to runAs role is container specific, so if you need help in that, add information what server are you using.