> Thanks Bobby - the web security constraint was really just to test that
> I could authenticate as one of the user's in the new realm (which works
> as expected), whereas the intent of the RunAs annotation in the
> InitServlet is to run as a 'system role' when the EAR is started to
> initialize some services using an EJB call (which I don't want anyone
> else to be calling interactively), so I'd prefer no user interaction
> there...
Ok, in that case you can simplify further, though maybe you started with
a simple case and added the rest just to manually log into the server to
test. I tried a small test and @RunAs is working fine for me. I can send
the full example to you if you'd like, but this is everything related to
the security part:
TestServlet.java, imports deleted for readability:
@RunAs("ejbuser")
public class TestServlet extends HttpServlet {
@EJB
private TestEjbLocal testEjbBean;
public void doGet(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
out.println("Message from the ejb:<br>");
out.println(testEjbBean.getMessage());
out.println("</u>");
out.close();
}
}
TestEjbBean, also sans imports:
@Stateless
public class TestEjbBean implements com.example.ejb.TestEjbLocal {
@RolesAllowed("ejbuser")
public String getMessage() {
return "Hi there from ejb";
}
}
And sun-application.xml has this in it:
<security-role-mapping>
<role-name>ejbuser</role-name>
<principal-name>nosuchuser</principal-name>
</security-role-mapping>
And that's the only places that "ejbuser" is referenced in the example.
Maybe you can see what is different in your case from this one. From the
use case you're describing, I'm thinking now that you're trying to call
the bean method in the servlet init() method rather than in one of the
service methods. Is that correct? If, so, I'm not sure whether or not
RunAs is supposed to work during init(). I'd have to look that up.
Cheers,
Bobby