I have discussed with Ronald Monzillo about the run-as in servlet.
I try to summarize his comments as follows:
a) In "A.8 Changes Since Servlet 2.3", it states
Clarification: “run-as” identity must apply to all calls from a servlet
including init() and destroy() (12.7)
There is no such clarification in the section 12.7 or in the security
chapter, so the clarification may have been lost, but the appendix
clearly notes the intent, and thus he thinks it is required that a
specified run-as identity be in effect during init() and destroy().
b) Note that section 15.3.1 Propagation of Security Identity in EJB
Calls, requires that propagation occur whenever an ejb is called by a
servlet (without consideration of the Servlet method form which the ejb
call is made). That may be going too far, but it would at least support
that run-as should be honored within init(); where it is has become
common practice to invoke ejbs, and where (unlike the case of calls to
ejbs from servlet context listeners), there is a mapping to a specific
servlet on which to look for a run-as specification.
I think we should only propagate the security identity when
Servlet#init, Servlet#destroy and Servlet#service are called.
(So, there will be no security identity propagation for
Servlet#getServletConfig, Servlet#getServletInfo.)
I think we need to clarify this in spec.
Any comments?
Thanks.
Shing Wai Chan