[jsr340-experts] Re: [servlet-spec users] Re: Clarification on run-as for servlet method

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Shing Wai Chan <shing.wai.chan_at_oracle.com>
Date: Wed, 31 Aug 2011 11:04:14 -0700

I have filed an issue http://java.net/jira/browse/SERVLET_SPEC-8
to track this.
Thanks.
Shing Wai Chan

> On 30/08/2011 23:31, Shing Wai Chan wrote:
>> I have discussed with Ronald Monzillo about the run-as in servlet.
>> I try to summarize his comments as follows:
>>
>> a) In "A.8 Changes Since Servlet 2.3", it states
>>
>> Clarification: �run-as� identity must apply to all calls from a servlet
>> including init() and destroy() (12.7)
>>
>> There is no such clarification in the section 12.7 or in the security
>> chapter, so the clarification may have been lost, but the appendix
>> clearly notes the intent, and thus he thinks it is required that a
>> specified run-as identity be in effect during init() and destroy().
>>
>> b) Note that section 15.3.1 Propagation of Security Identity in EJB
>> Calls, requires that propagation occur whenever an ejb is called by a
>> servlet (without consideration of the Servlet method form which the ejb
>> call is made). That may be going too far, but it would at least support
>> that run-as should be honored within init(); where it is has become
>> common practice to invoke ejbs, and where (unlike the case of calls to
>> ejbs from servlet context listeners), there is a mapping to a specific
>> servlet on which to look for a run-as specification.
>>
>> I think we should only propagate the security identity when
>> Servlet#init, Servlet#destroy and Servlet#service are called.
>> (So, there will be no security identity propagation for
>> Servlet#getServletConfig, Servlet#getServletInfo.)
>> I think we need to clarify this in spec.
>> Any comments?
> Seems reasonable to me.
>
> Mark