tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quintin Beukes <>
Subject RunAs Unit Test EJBS for testing Security
Date Mon, 21 Sep 2009 11:57:06 GMT

On the OpenEJB site there is an example for testing EJB security by
creating a dedicated EJB with a RunAs annotation, to have that EJB
execute as the specified role, and thus emulate what it would be like
when that user executes. This is fine for just quickly testing if your
roles work.

But what if your EJB security is strict on some methods, and the only
way to execute it is as a given role. Or more you want to test the
functionality of a method as different users.

And to add to this, what if you're using JTA?

Then once you enter the unit test EJB, you will be starting a CMT, and
your unit test won't run things exactly as it would, had you executed
the same calls from a remote client for instance. The reason for this
is because the RunAs EJB wraps the transactions of the EJBs you are
calling, and the result can be undefined, and definitely not accurate
to real world situations. You're most likely to notice this when you
start using multiple persistence units and EJB jars, like I just did a
few moments ago.

A possible solution would be to add
"@TransactionAttribute(TransactionAttributeType.NEVER)" as another
annotation to your test EJB, so it ends up something like this:
@RunAs("VDS Admin")
public class VdsAdminBean implements

The alternative is to manually join the transactions, but this doesn't
seem like the correct solutions, as it's something only required when
you're doing unit tests, or when calling the code from another EJB. In
the latter case I feel it's the job of the calling EJB to manage the
transactions, and not the job of the called EJB to know about every
possible situation it will be thrown in?

These are some of the findings/thoughts I had. Please correct me if I'm wrong.

Quintin Beukes

View raw message