On 30/08/2011 23:31, Shing Wai Chan wrote:
> I have discussed with Ronald Monzillo about the run-as in servlet.
> I try to summarize his comments as follows:
>
> a) In "A.8 Changes Since Servlet 2.3", it states
>
> Clarification: “run-as” identity must apply to all calls from a servlet
> including init() and destroy() (12.7)
>
> There is no such clarification in the section 12.7 or in the security
> chapter, so the clarification may have been lost, but the appendix
> clearly notes the intent, and thus he thinks it is required that a
> specified run-as identity be in effect during init() and destroy().
>
> b) Note that section 15.3.1 Propagation of Security Identity in EJB
> Calls, requires that propagation occur whenever an ejb is called by a
> servlet (without consideration of the Servlet method form which the ejb
> call is made). That may be going too far, but it would at least support
> that run-as should be honored within init(); where it is has become
> common practice to invoke ejbs, and where (unlike the case of calls to
> ejbs from servlet context listeners), there is a mapping to a specific
> servlet on which to look for a run-as specification.
>
> I think we should only propagate the security identity when
> Servlet#init, Servlet#destroy and Servlet#service are called.
> (So, there will be no security identity propagation for
> Servlet#getServletConfig, Servlet#getServletInfo.)
> I think we need to clarify this in spec.
> Any comments?
Seems reasonable to me.
Mark