cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Message Driven Bean @RunAs - How?

Go to solution
Former Member

on ‎07-01-2008 3:15 PM

0 Kudos

Hello,

I'm trying to run a Message Driven Bean in a specific role. I thought the @RunAs Annotation would do the Job, But I can't get it to run.

I put in my source code:

@RunAs("myadmin")

In the ejb-j2ee-engine.xml I put the following:


  <security-permission>
    <security-role-map>
      <role-name>myadmin</role-name>
      <server-role-name>Administrator</server-role-name>
   </security-role-map>
</security-permission>

When I deploy I get the 'warning':

Warning occurred on server 7820350 during update sap.com/TEST_EAR : EJB Model Builder: J2EE Security role myadmin is mapped to server role(roles) in the additional xml but cannot be found in the security-role tag of the ejb-jar.xml., file: MyProject.jar#MyProject.jar, column 0, line 0, severity: warning

Why do I need an ejb-jar.xml ? I thought this is no longer needed with J2EE 5? And when I create one, I get errors when inserting a tag named "<security-role>".

I checked the help [here|http://help.sap.com/saphelp_nwce10/helpdata/en/46/3079bf50094f09e10000000a114a6b/frameset.htm], but it was not a great help as most times...

So how do I run a Message Driven Bean as a Role I define in the UME like "Administrator"? Or what is the meaning of "server-role-name"? This whole concept of UME and J2EE security roles is a little bit confusing to me to be honest

Any help would be appreciated,

Thanks Frank

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Vlado
Advisor
Advisor
‎07-01-2008 6:10 PM
0 Kudos

Hi Frank,

Well, I should say that in many cases so far help.sap.com seems to have been really helpful. But you know, the biggest room in the world is the room for improvement.

OK, first you need declare the role by listing it in @DeclareRoles, and then use it in @RunAs.

However, I agree that the warning message is not very accurate and should be edited to also mention the other ways of declaring a security role in Java EE 5, namely @DeclareRoles and @RolesAllowed.

Hope that helps!

\-- Vladimir

Show replies
Show replies
Former Member
‎07-02-2008 8:20 AM
0 Kudos

Thanks for your answer at first!

What I do not understand is the connection of a Role I declare with @DeclareRoles and for example UME actions I declare in a Actions DC.

I have a Database Access class (Plain Old java) where I check actions with code like that:


IUser user = UMFactory.getAuthenticator().getLoggedInUser();
if (null != user) {
  try {
    user.checkPermission(new MyPermission("DB", "access"));
  } catch (AccessControlException ace){
     throw new RuntimeException("Not Authorized", ace);
  }
}
else {
  throw new RuntimeException("No authenticated User");
}

So how can I get to run a Message Driven Bean with that actions? I can't see the connection on that...

As to my criticism of the help, may I explain what the difficulty of that help page is:

- security role mapping is about Role carCustomer and guest

- RunAs and RolesDeclares is about Adminstrator

-> so the examples are not consitent

- It is nowhere really explained what a server role in role mapping means

-> Where do I see that in my Identiy Management?

-> Somewhere I found I would see it in the actions, but I tried and it wasn't there...

In general - as often - it describes how and not why.

Frank

Vlado
Advisor
Advisor
‎07-02-2008 11:26 AM
0 Kudos

> What I do not understand is the connection of a Role I declare with @DeclareRoles and for example UME actions I declare in a Actions DC.

There is no connection between Java EE roles declared with, for example, @DeclareRoles and UME actions declared in actions.xml.

Java EE roles are logical roles pertinent to the particular app/module for which they are defined. They should be mapped to physical users / groups established in the concrete server environment. The server security role is actually a UME role which can be assigned users, groups, and actions. By mapping a Java EE role to a server role you implicitly create a UME action that is assigned to that (UME) role.

> I have a Database Access class (Plain Old java) where I check actions with code like that:

>

> 


> IUser user = UMFactory.getAuthenticator().getLoggedInUser();
> if (null != user) {
>   try {
>     user.checkPermission(new MyPermission("DB", "access"));
>   } catch (AccessControlException ace){
>      throw new RuntimeException("Not Authorized", ace);
>   }
> }
> else {
>   throw new RuntimeException("No authenticated User");
> }
>

>

> So how can I get to run a Message Driven Bean with that actions? I can't see the connection on that...

That's not possible. As I just explained above, Java EE apps create their own UME actions and map to UME roles.

> As to my criticism of the help, may I explain what the difficulty of that help page is:

> - security role mapping is about Role carCustomer and guest

> - RunAs and RolesDeclares is about Adminstrator

> -> so the examples are not consitent

Good point. I already forwarded that to our documentation colleagues. Thanks!

> - It is nowhere really explained what a server role in role mapping means

This is explained in the [ejb-j2ee-engine XSD|http://help.sap.com/saphelp_nwce10/helpdata/en/45/0963e714232d6be10000000a11466f/frameset.htm], however you're probably right that it could be linked from the current page. Note taken as well.

> -> Where do I see that in my Identiy Management?

> -> Somewhere I found I would see it in the actions, but I tried and it wasn't there...

You should be able to find it in the Roles.

HTH!

\-- Vladimir

Former Member
‎07-02-2008 11:46 AM
0 Kudos

Hello,

so I finally get it to work I created a (UME) role in my 7.10 server, gave that role the required access rights (as UME actions).

I then created a user 'myUser' that has this role...

And I created an entry in ejb-j2ee-engine.xml for my bean:


      <run-as-identity-map>
        <user-name>myUser</user-name>
      </run-as-identity-map>

and created the security-permissions as given on the help page.

I also needed to add an ejb-jar.xml with:


<assembly-descriptor>
		<security-role>
			<role-name>myrole</role-name>
		</security-role>
</assembly-descriptor>

As I haven't figured out when its a J2EE role and when its a UME role, I named them both the same After that I can see in see logs that my MDB is running with User 'myUser'.

Hope this may help others this short explanation. Thanks for your help as well!

Frank

Answers (0)

Ask a Question