JASPIC client login in Wildfly

Question

I have a Java EE web application that is secured with JASPIC and @RolesAllowed annotations on my EJBs. I use a managed executor service to run a number of tasks.

However, the tasks are not run as any user so I get permission denied errors while attempting to access my EJBs. I've tried using the @RunAs annotation, but that doesn't seem to work.

How can I programatically authenticate?

I have abstract class

    public abstract class AbstractTask implements Runnable...

and a concrete class, I then submit the task to the managed executor service

    mes_.submit(task);

I've tried putting @RunAs on both classes, but neither work.

Answer 1

There is unfortunately no facility in Java EE to programmatically login outside of a web context.

JASPIC should have provided that, but it was somehow forgotten or the powers that be had other things on their mind. The JASPIC spec document mentions it somewhere at the end that they would look into it later, but it just never happened.

@RunAs is a bit limited, but nevertheless should work in general for this case. You may need to provide some code, and WildFly may demand some custom configuration for this.

Are your @RolesAllowed annotated EJB methods only called from the managed executor service? In WildFly 8 @RolesAllowed is broken when an EJB is called from a Servlet, but that should be fixed in WildFly 9.

Answer 2

You should show more code. What's in your question now is not really useful, since it's basically implied by using an executor service. To be sure, show the exact classes where you put @RunAs.

I've a feeling though where the problem is, and that's that you cannot just put @RunAs on any plain class, but need to use an intermediate unsecured EJB. '@RunAs` is somewhat confusing perhaps in that it doesn't set the role for the method that's annotated with it, but sets the role for outgoing calls.

Thus the order is

Executor Service -> Task -> Intermediate EJB bean with @RunAs method -> Secured bean with @RolesAllowed