If the application is using RunAs roles in the weblogic-ejb-jar.xml file, the role needs to be mapped to a user in the WebLogic domain. To enable this configuration on the server, two elements need to be added to this file:
<run-as-principal-name> element for the EJB that is configured to use RunAs roles
<security-role-assignment> element for the role
The <run-as-principal-name> element resides inside the <weblogic-enterprise-bean> element for the EJB. The element tells the server to run the EJB as the specified user. The sample below uses weblogic as the username because this is the default name of the WebLogic admin user. The entry should look similar to the following:
<run-as-principal-name>weblogic</run-as-principal-name>
The value (weblogic) must be the name of a user that exists in the domain. When this user is mapped to the Manager role, all users with the Manager role can run the EJB. The <weblogic-enterprise-bean> section of the file should look similar to the following for the sample payroll application. These sample lines configure the EmployeeSessionEJB:
<weblogic-enterprise-bean> <ejb-name>EmployeeSessionEJB</ejb-name> <reference-descriptor> <ejb-local-reference-description> <ejb-ref-name>ejb/EmployeeEJB</ejb-ref-name> <jndi-name>ejb.EmployeeEJB</jndi-name> </ejb-local-reference-description> </reference-descriptor> <enable-call-by-reference>True</enable-call-by-reference> <run-as-principal-name>weblogic</run-as-principal-name> <jndi-name>ejb.EmployeeSessionEJB</jndi-name> </weblogic-enterprise-bean>
The <security-role-assignment> element needs to be placed outside of the <weblogic-enterprise-bean> element, and it needs to map the Manager role to the weblogic user specified in the <run-as-principal-name> element. It should look similar to the following for the sample payroll application:
<security-role-assignment> <role-name>Manager</role-name> <principal-name>weblogic</principal-name> </security-role-assignment>