java - Can't get @RunAs to work in an EJB

Question

This is a follow-up to User context for @Startup EJB on websphere

I have the following scenario:

EJB 1:

@WebService( ... )
@Local(SomeLocalServiceType.class)
@Stateless
@RolesAllowed("SomeRole")
public class SomeServiceBean implements SomeLocalServiceType {

    ...

    @Override
    public void someMethodInSomeLocalServiceType() { ... }

    ...
}

EJB 2:

@Startup
@Singleton
@RunAs("SomeRole")
public class PIRSingletonEJB {

        @EJB
        private SomeLocalServiceType service; 

        ...

        @PostContruct
        public void performStartupAction() { 
            service.someMethodInSomeLocalServiceType();
        }

}

In short: I have one EJB requiring a role "SomeRole", and a startup EJB using @RunAs to use that role.

As far I as understand @RunAs this should work.

However, I get the following Exception (class and role names changed to match my example):

javax.ejb.NoSuchEJBException: An error occurred during initialization of singleton session bean MY_Appl#myappl-ejb.jar#PIRSingletonEJB, resulting in the discarding of the singleton instance.; nested exception is: javax.ejb.EJBAccessException: SECJ0053E: Authorization failed for wasldaphost:389/SOMEUSER while invoking (Bean)MY_Appl#myappl-ejb.jar#SomeServiceBean someMethodInSomeLocalServiceType::3  is not granted any of the required roles: SomeRole
Caused by: javax.ejb.EJBAccessException: SECJ0053E: Authorization failed for wasldaphost:389/SOMEUSER while invoking (Bean)MY_Appl#myappl-ejb.jar#SomeServiceBean someMethodInSomeLocalServiceType::3  is not granted any of the required roles: SomeRole

Is this just a misunderstanding on my part of how this should work?

I am using WebSphere 8.0.0.9

Answer 1

You have to do two things:

• In the admin console, in the Security role to user mapping you have to add your SOMEUSER to SomeRole
• Then in RunAs role mapping you have to specify one particular user from the SomeRole (in your case SOMEUSER) and provide password for him.

Both settings are required, because container must have userid and password for the RunAs, and also that user must be valid user for the role that should be used. (You cannot run just as role, it must be a specific user that has that role).

PS. I don't have console at hand, so links might be called a bit differently in the console, but you should get the idea.

For more details check Assigning users to RunAs roles