I agree. I took a closer look at the spec, and I found the following ( in
Apendex 8).
Clarification: “run-as” identity must apply to all calls from a servlet
including init() and destroy() (12.7)
I can't find any such clarification in the section 12.7 or in the security
chapter, so the clarification may have been
lost, but the appendix clearly notes the intent
imv, if this is not happening under a proper configiuration and use of the
@RunAs annotation, then it is a bug in the RI.
please file an issue if you have not done so already, and the security team
should fix this.
Ron
ps: I include the following mostly for others who may come upon this
thread...
please note that when a run-as identity is set by annotation, the annotation
has no effect on methods inherited from a superclass (such as init() and
destory()) unless those methods are declared (i.e., overridden) in the
servlet implementation class.
--
[Message sent by forum member 'monzillo']
View Post: http://forums.java.net/node/782089