[#OPENEJB-901] Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService

OpenEJB

Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService

Created: 21/Aug/08 07:44 PM Updated: 29/Oct/08 07:53 PM

Return to search

Component/s:

tomcat

Affects Version/s:

3.0

Fix Version/s:

3.1

Time Tracking:

Not Specified

File Attachments:

File Name	Date Attached	Attached By	Size
ejb-examples.war	2008-08-23 09:45 PM	Dain Sundstrom	28 kB
jaas.conf	2008-08-21 08:06 PM	Luis Fernando Planella Gonzalez	0.1 kB
realm.jar	2008-08-23 09:45 PM	Dain Sundstrom	1 kB
test-updated.war	2008-09-03 01:35 PM	Luis Fernando Planella Gonzalez	12 kB
test.war	2008-08-25 12:44 PM	Luis Fernando Planella Gonzalez	18 kB
test.war	2008-08-21 08:06 PM	Luis Fernando Planella Gonzalez	18 kB

Environment:

Ubuntu Linux 8.04, i386

Resolution Date:

20/Oct/08 12:49 PM

Description

« Hide

TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
Attached, is a war file and a jaas configuration file, which should have the system property java.security.auth.login.config set to it.
To test, first authenticate by visiting http://localhost:8080/test/protected.jsp. Any username / password is validated, and the "user" role is granted. Then browse to http://localhost:8080/test/test, and a permission denied exception is thrown, because the role "user" is not granted.
Another test is comment the @RolesAllowed("user") in TestServiceBean.sayHello() method. In this case, the isCallerInRole("user") is alwais false.

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

There are no subversion log entries for this issue yet.