eclipse-ee4j · arjantijms · Nov 25, 2024 · Nov 24, 2024
diff --git a/appserver/deployment/dol/src/main/java/com/sun/enterprise/deployment/EjbBeanDescriptor.java b/appserver/deployment/dol/src/main/java/com/sun/enterprise/deployment/EjbBeanDescriptor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -1363,17 +1363,15 @@ public void setUsesCallerIdentity(boolean flag) {
     @Override
     public void setRunAsIdentity(RunAsIdentityDescriptor desc) {
         if (usesCallerIdentity == null || usesCallerIdentity) {
-            throw new IllegalStateException("Cannot set RunAs identity when using caller identity");
+            throw new IllegalStateException("Cannot set RunAs identity when using caller identity."
+                + " Set usesCallerIdentity to false first.");
         }
         this.runAsIdentity = desc;
     }
 
 
     @Override
     public RunAsIdentityDescriptor getRunAsIdentity() {
-        if (usesCallerIdentity == null || usesCallerIdentity) {
-            throw new IllegalStateException("Cannot get RunAs identity when using caller identity");
-        }
         return runAsIdentity;
     }
 

diff --git a/...ent/dol/src/main/java/com/sun/enterprise/deployment/annotation/handlers/RunAsHandler.java b/...ent/dol/src/main/java/com/sun/enterprise/deployment/annotation/handlers/RunAsHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -56,7 +56,7 @@ protected HandlerProcessingResult processAnnotation(AnnotationInfo ainfo, EjbCon
         RunAs runAsAn = (RunAs) ainfo.getAnnotation();
         for (EjbContext ejbContext : ejbContexts) {
             EjbDescriptor ejbDesc = ejbContext.getDescriptor();
-            // override by xml
+            // overriden by xml
             if (ejbDesc.getUsesCallerIdentity() != null) {
                 continue;
             }

diff --git a/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/deployment/node/EjbNode.java b/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/deployment/node/EjbNode.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2022 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -181,7 +181,7 @@ protected void writeCommonHeaderEjbDescriptor(Node ejbNode, EjbDescriptor descri
      * @param descriptor the EJB descriptor the security information to be retrieved
      */
     protected void writeSecurityIdentityDescriptor(Node parent, EjbDescriptor descriptor) {
-        if (!descriptor.getUsesCallerIdentity() && descriptor.getRunAsIdentity() == null) {
+        if (descriptor.getUsesCallerIdentity() == null && descriptor.getRunAsIdentity() == null) {
             return;
         }
         SecurityIdentityNode.writeSecureIdentity(parent, SECURITY_IDENTITY, descriptor);

diff --git a/...b/ejb-container/src/main/java/org/glassfish/ejb/deployment/node/SecurityIdentityNode.java b/...b/ejb-container/src/main/java/org/glassfish/ejb/deployment/node/SecurityIdentityNode.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -22,14 +22,15 @@
 import com.sun.enterprise.deployment.node.XMLElement;
 import com.sun.enterprise.deployment.xml.TagNames;
 
-import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 
 import org.glassfish.deployment.common.Descriptor;
-import org.glassfish.ejb.deployment.EjbTagNames;
 import org.glassfish.ejb.deployment.descriptor.EjbDescriptor;
 import org.w3c.dom.Node;
-import org.xml.sax.Attributes;
+
+import static com.sun.enterprise.deployment.xml.TagNames.RUNAS_SPECIFIED_IDENTITY;
+import static org.glassfish.ejb.deployment.EjbTagNames.USE_CALLER_IDENTITY;
 
 /**
  * This node handles all information relative to security-indentity tag
@@ -38,54 +39,47 @@
  */
 public class SecurityIdentityNode extends DeploymentDescriptorNode<Descriptor> {
 
-    public static Node writeSecureIdentity(Node parent, String nodeName, EjbDescriptor descriptor) {
-        Node subNode = appendChild(parent, nodeName);
-        appendTextChild(subNode, TagNames.DESCRIPTION, descriptor.getSecurityIdentityDescription());
-        if (descriptor.getUsesCallerIdentity()) {
-            Node useCaller = subNode.getOwnerDocument().createElement(EjbTagNames.USE_CALLER_IDENTITY);
-            subNode.appendChild(useCaller);
-        } else {
-            RunAsNode runAs = new RunAsNode();
-            runAs.writeDescriptor(subNode, TagNames.RUNAS_SPECIFIED_IDENTITY, descriptor.getRunAsIdentity());
-        }
-        return subNode;
-    }
-
-
     public SecurityIdentityNode() {
-        registerElementHandler(new XMLElement(TagNames.RUNAS_SPECIFIED_IDENTITY), RunAsNode.class);
+        registerElementHandler(new XMLElement(RUNAS_SPECIFIED_IDENTITY), RunAsNode.class);
     }
 
 
     @Override
     public Descriptor getDescriptor() {
-        return null;
+        return getParentNodeDescriptor();
     }
 
 
     @Override
     protected Map<String, String> getDispatchTable() {
-        return Collections.emptyMap();
+        Map<String, String> table =  new HashMap<>();
+        table.put(USE_CALLER_IDENTITY, "setUsesCallerIdentity");
+        table.put(RUNAS_SPECIFIED_IDENTITY, "setRunAsIdentity");
+        return table;
     }
 
 
-    @Override
-    public void startElement(XMLElement element, Attributes attributes) {
-        if (EjbTagNames.USE_CALLER_IDENTITY.equals(element.getQName())) {
-            ((EjbDescriptor) getParentNode().getDescriptor()).setUsesCallerIdentity(true);
-        } else {
-            super.startElement(element, attributes);
-        }
-        return;
+    public EjbDescriptor getParentNodeDescriptor() {
+        return (EjbDescriptor) super.getParentNode().getDescriptor();
     }
 
 
-    @Override
-    public void setElementValue(XMLElement element, String value) {
-        if (TagNames.DESCRIPTION.equals(element.getQName())) {
-            ((EjbDescriptor) getParentNode().getDescriptor()).setSecurityIdentityDescription(value);
-        } else {
-            super.setElementValue(element, value);
+    /**
+     * @param parent parent node
+     * @param nodeName name of this node under the parent node.
+     * @param descriptor parent descriptor.
+     * @return new {@link Node}
+     */
+    public static Node writeSecureIdentity(Node parent, String nodeName, EjbDescriptor descriptor) {
+        Node secureIdentityNode = appendChild(parent, nodeName);
+        appendTextChild(secureIdentityNode, TagNames.DESCRIPTION, descriptor.getSecurityIdentityDescription());
+        if (Boolean.TRUE.equals(descriptor.getUsesCallerIdentity())) {
+            Node useCaller = secureIdentityNode.getOwnerDocument().createElement(USE_CALLER_IDENTITY);
+            secureIdentityNode.appendChild(useCaller);
+        } else if (Boolean.FALSE.equals(descriptor.getUsesCallerIdentity())) {
+            RunAsNode runAs = new RunAsNode();
+            runAs.writeDescriptor(secureIdentityNode, RUNAS_SPECIFIED_IDENTITY, descriptor.getRunAsIdentity());
         }
+        return secureIdentityNode;
     }
 }
diff --git a/...er/ejb/ejb-container/src/main/java/org/glassfish/ejb/deployment/node/runtime/EjbNode.java b/...er/ejb/ejb-container/src/main/java/org/glassfish/ejb/deployment/node/runtime/EjbNode.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -212,7 +212,7 @@ public Node writeDescriptor(Node parent, String nodeName, EjbDescriptor ejbDescr
         }
 
         // principal
-        if ( Boolean.FALSE.equals(ejbDescriptor.getUsesCallerIdentity()) ) {
+        if (Boolean.FALSE.equals(ejbDescriptor.getUsesCallerIdentity())) {
             RunAsIdentityDescriptor raid = ejbDescriptor.getRunAsIdentity();
             if ( raid != null && raid.getPrincipal() != null ) {
                 Node principalNode = appendChild(ejbNode, RuntimeTagNames.PRINCIPAL);

diff --git a/...ejb/ejb-container/src/main/java/org/glassfish/ejb/deployment/util/EjbBundleValidator.java b/...ejb/ejb-container/src/main/java/org/glassfish/ejb/deployment/util/EjbBundleValidator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -583,7 +583,7 @@ private void computeRuntimeDefault(EjbDescriptor ejb) {
             ejb.setJndiName(SimpleJndiName.of(intfName));
         }
 
-        if (!ejb.getUsesCallerIdentity()) {
+        if (Boolean.FALSE.equals(ejb.getUsesCallerIdentity())) {
             computeRunAsPrincipalDefault(ejb.getRunAsIdentity(), ejb.getApplication());
         }
     }

diff --git a/...jb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java b/...jb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java
@@ -601,7 +601,8 @@ private String getRealmName(EjbDescriptor deploymentDescriptor) {
     }
 
     private RunAsIdentityDescriptor getRunAs(EjbDescriptor deploymentDescriptor) {
-        if (deploymentDescriptor.getUsesCallerIdentity()) {
+        if (!Boolean.FALSE.equals(deploymentDescriptor.getUsesCallerIdentity())) {
+            // true or null disable runAs
             return null;
         }
 

diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/Audit.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/Audit.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -386,7 +386,7 @@ private static void dumpDiagnostics(Application app) {
                 logger.finest("EJB: " + ejb.getEjbClassName());
 
                 // check and show run-as if present
-                if (!ejb.getUsesCallerIdentity()) {
+                if (Boolean.FALSE.equals(ejb.getUsesCallerIdentity())) {
                     RunAsIdentityDescriptor runas = ejb.getRunAsIdentity();
                     if (runas == null) {
                         logger.finest(" (ejb does not use caller " + "identity)");