I have a CDI -> EJB App. I do the security in the past with JBoss j_security. My security with Shiro works.
But my only problem is how can I get SessionContext in my EJB? With Jboss Security I got the username, who login in the location with:
SessionContext sessionContext; String email = sessionContext.getCallerPrincipal().getName();
Now I want to get the the username in my EJB. How ca I set the username with SessionContext?
Thank you for help
This is a bit tricky, and it also depends on the version of JBoss that you are using. In the AS 7.x and EAP 6.x range this can't really be done by using public APIs because of several bugs.
In order to make the sessionContext aware of the user name and roles you can use JBoss specific code like I used here: https://github.com/javaeekickoff/jboss-as-jaspic-patch/commit/d691fd4532d9aeae6136e3adc2537ff81c525673
It should be something like;
SecurityContext context = SecurityActions.getSecurityContext();
context.getUtil().createSubjectInfo(new SimplePrincipal(userName),
null,
someSubject
);
Take a look at the rest of the file to see how someSubject should be created and populated.
Unfortunately for the mentioned JBoss versions @RolesAllowed will never work, since JBoss doesn't take over the already authenticated identity from the local caller, but will always consult a JBoss specific "security domain" just prior to calling the actual bean. Of course it known nothing about Shiro.
