async method invocation and the "CallerPrincipal"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

async method invocation and the "CallerPrincipal"

Thiago Veronezi
Hi devs!
I'm trying to reproduce the issue reported here:
http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html

<http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html>To
do it, I've changed one function of my current project: from
"uploadFilePart" method to "asyncUploadFilePart". Now I'm facing a problem
with the business logic. When my "async method" calls the "getMyFile"
method, the caller principal is "guest". I've ran the ejb.3.1.spec document,
but I didn't find what's the expected behaviour here.

The question is: Should the "callerPrincipal" be the original caller, or
should it be the "guest" user for async method invocations?

******************************************************************************************************
@Override
public File getMyFile(Long uid) {
final FileEAO fileeao = eaoBuilder.getInstance(FileEAO.class);
final File file = fileeao.findByUid(uid);
if(file == null) {
return file;
}

final String user = sctx.getCallerPrincipal().getName();
if(!user.equals(file.getUser().getAccount())) {
throw new SystemException("The user " + user + " is not the owner of this
file");
}
return file;
}

@Override
@Asynchronous
public Future<Long> asyncUploadFilePart(long fileUid, int sequence, byte[]
part, int size) {
final FileEAO fileeao = eaoBuilder.getInstance(FileEAO.class);
final File file = getMyFile(fileUid);
final Long partUid = fileeao.savePart(file, sequence, part, size);
return new AsyncResult<Long>(partUid);
}
******************************************************************************************************

[]s,
Thiago.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: async method invocation and the "CallerPrincipal"

dblevins
Administrator

On Feb 7, 2011, at 12:05 PM, Thiago Veronezi wrote:

> Hi devs!
> I'm trying to reproduce the issue reported here:
> http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html
>
> <http://openejb.979440.n4.nabble.com/3-4-SNAPSHOT-EjbObjectProxyHandler-FutureAdapter-is-not-Serializable-td3259083.html>To
> do it, I've changed one function of my current project: from
> "uploadFilePart" method to "asyncUploadFilePart". Now I'm facing a problem
> with the business logic. When my "async method" calls the "getMyFile"
> method, the caller principal is "guest". I've ran the ejb.3.1.spec document,
> but I didn't find what's the expected behaviour here.
>
> The question is: Should the "callerPrincipal" be the original caller, or
> should it be the "guest" user for async method invocations?

Transaction and security state don't propagate to async methods, so guest is correct.  It is possible to use the @RunAs on the async method to hard code it to run as a specific roll, however.

On a slightly different angle, I think it should still be possible to use @RolesAllowed on an async method and get the security check done before the async method is queued.  I'm not sure what our current behavior is in that regard, but it would be optimal.  Don't think it's required by the spec -- certainly if we don't do it now, the TCK doesn't check for it.


Thanks for working on this!

-David

Loading...