servlet-spec
  1. servlet-spec
  2. SERVLET_SPEC-8

Clarification on run-as for servlet method

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      I have discussed with Ronald Monzillo about the run-as in servlet.
      I try to summarize his comments as follows:

      a) In "A.8 Changes Since Servlet 2.3", it states

      Clarification: "run-as" identity must apply to all calls from a servlet including init() and destroy() (12.7)

      There is no such clarification in the section 12.7 or in the security chapter, so the clarification may have been lost, but the appendix clearly notes the intent, and thus he thinks it is required that a specified run-as identity be in effect during init() and destroy().

      b) Note that section 15.3.1 Propagation of Security Identity in EJB Calls, requires that propagation occur whenever an ejb is called by a servlet (without consideration of the Servlet method form which the ejb call is made). That may be going too far, but it would at least support that run-as should be honored within init(); where it is has become common practice to invoke ejbs, and where (unlike the case of calls to ejbs from servlet context listeners), there is a mapping to a specific servlet on which to look for a run-as specification.

      I think we should only propagate the security identity when Servlet#init, Servlet#destroy and Servlet#service are called.
      (So, there will be no security identity propagation for Servlet#getServletConfig, Servlet#getServletInfo.)

        Activity

        Shing Wai Chan created issue -
        Rajiv Mordani made changes -
        Field Original Value New Value
        Assignee Shing Wai Chan [ swchan2 ]
        Shing Wai Chan made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        Shing Wai Chan added a comment -

        I have further discussion with Ron about this.
        We would like clarify the spec from:
        "When it is specified, the container must propagate the security identity for any call from a servlet to the EJB layer in terms of the security role name defined in the run-as element. "

        to

        "When a run-as role is specified for a Servlet, the Servlet container must propagate a principal mapped to the role as the security identity in any call from the Servlet
        to an EJB, including calls originating from the Servlet's Servlet#init and Servlet#destroy methods."

        In other words, run-as apply to all Servlet's methods when it is invoked by the container.

        Show
        Shing Wai Chan added a comment - I have further discussion with Ron about this. We would like clarify the spec from: "When it is specified, the container must propagate the security identity for any call from a servlet to the EJB layer in terms of the security role name defined in the run-as element. " to "When a run-as role is specified for a Servlet, the Servlet container must propagate a principal mapped to the role as the security identity in any call from the Servlet to an EJB, including calls originating from the Servlet's Servlet#init and Servlet#destroy methods." In other words, run-as apply to all Servlet's methods when it is invoked by the container.
        Hide
        Shing Wai Chan added a comment -

        Sending javaEE.fm
        Transmitting file data .
        Committed revision 4.

        Show
        Shing Wai Chan added a comment - Sending javaEE.fm Transmitting file data . Committed revision 4.
        Shing Wai Chan made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            Shing Wai Chan
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: