users@glassfish.java.net

Re: Need some help with RunAs

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Fri, 21 Sep 2007 11:29:40 +0530

Hi,

glassfish_at_javadesktop.org wrote:

>Well that was easy; I didn't even have to modify my policy file. It does still leave me with the impression that RunAs (from the web container to the ejb container anyway) is broken.
>
>I looked at the spec and it seems that what I want to do should be possible: Create role which maps to a user, in application.xml and put a @RunAs on a servlet.
>
>2.7 javax.annotation.security.RunAs
> The RunAs annotation defines the role of the application during execution in a Java
> EE container. It can be specified on a class. This allows developers to execute an
> application under a particular role. The role MUST map to the user / group
> information in the container’s security realm.
>
The last line here says the role Must map to the user/group in the
Container's *Security Realm*. I believe the confusion is in the
interpretation of this line. What you are trying to do is define a
fictitious principal that the container does not know about (via its
relams) and you are mapping that principal to a Role and expecting RunAs
to use that.

IMO a better error message in this case when your Annotation was
apparently ignored is what might be required. We will look into it.
Thanks.