2

This is a follow-up to User context for @Startup EJB on websphere

I have the following scenario:

EJB 1:

@WebService( ... )
@Local(SomeLocalServiceType.class)
@Stateless
@RolesAllowed("SomeRole")
public class SomeServiceBean implements SomeLocalServiceType {

    ...

    @Override
    public void someMethodInSomeLocalServiceType() { ... }

    ...
}

EJB 2:

@Startup
@Singleton
@RunAs("SomeRole")
public class PIRSingletonEJB {

        @EJB
        private SomeLocalServiceType service; 

        ...

        @PostContruct
        public void performStartupAction() { 
            service.someMethodInSomeLocalServiceType();
        }

}

In short: I have one EJB requiring a role "SomeRole", and a startup EJB using @RunAs to use that role.

As far I as understand @RunAs this should work.

However, I get the following Exception (class and role names changed to match my example):

javax.ejb.NoSuchEJBException: An error occurred during initialization of singleton session bean MY_Appl#myappl-ejb.jar#PIRSingletonEJB, resulting in the discarding of the singleton instance.; nested exception is: javax.ejb.EJBAccessException: SECJ0053E: Authorization failed for wasldaphost:389/SOMEUSER while invoking (Bean)MY_Appl#myappl-ejb.jar#SomeServiceBean someMethodInSomeLocalServiceType::3  is not granted any of the required roles: SomeRole
Caused by: javax.ejb.EJBAccessException: SECJ0053E: Authorization failed for wasldaphost:389/SOMEUSER while invoking (Bean)MY_Appl#myappl-ejb.jar#SomeServiceBean someMethodInSomeLocalServiceType::3  is not granted any of the required roles: SomeRole

Is this just a misunderstanding on my part of how this should work?

I am using WebSphere 8.0.0.9

Community
  • 1
  • 1
Thomas Stets
  • 3,015
  • 4
  • 17
  • 29
  • I have only a basic understanding of WebSphere application security, but my understanding is that when you specify `@RunAs("SomeRole")`, you need to configure the specific user that will be used, and it appears you've configured SOMEUSER for this purpose. Additionally, you need to configure the SOMEUSER to be a member of the SomeRole role for access checking, but it appears you have not done this. (I don't know for sure, this is just my best guess. If it's correct, then it's rather unfortunate that WebSphere doesn't detect this paradox.) – Brett Kail Oct 14 '15 at 06:53
  • I have *not* configured SOMEUSER for this. This is what my other question was about: WAS is using that user, and I couldn't find how to set it. – Thomas Stets Oct 14 '15 at 07:14
  • If I have to configure the user to have the role SomeRole, why would I need the `@RunAs` then? The user would automatically be allowed to call the second EJB, woudn't he? – Thomas Stets Oct 14 '15 at 07:16

1 Answers1

4

You have to do two things:

  • In the admin console, in the Security role to user mapping you have to add your SOMEUSER to SomeRole
  • Then in RunAs role mapping you have to specify one particular user from the SomeRole (in your case SOMEUSER) and provide password for him.

Both settings are required, because container must have userid and password for the RunAs, and also that user must be valid user for the role that should be used. (You cannot run just as role, it must be a specific user that has that role).

PS. I don't have console at hand, so links might be called a bit differently in the console, but you should get the idea.

For more details check Assigning users to RunAs roles

Gas
  • 17,601
  • 4
  • 46
  • 93