Thanks for pointing this out, it is important to discuss this fully.
Section 17.6.5 Security Methods in EJBContext says that the container must
provide a security context when calling a bean's business methods.
The spec also says that RunAs does not change the context for the bean that
declares RunAs, but it is the Identity it passes in the security context it
passes to other beans that it calls.
So, in the Example App I uploaded with the bug report, the Singleton Startup
Bean's PostConstruct method does not access SecurityContext methods, but
calls another Beans business methods. The only way to allow this and be
true to the spec would be to create a security context with the Identity
I declared in the Startup Beans' RunAs.
Glassfish does work properly in the case of the Singleton Startup, but not
the Servlet.init
--
[Message sent by forum member 'joelstewart']
View Post: http://forums.java.net/node/782089