|
[
Permlink
| « Hide
]
Dain Sundstrom added a comment - 23/Aug/08 08:09 PM
The example is missing the org.test.CustomRealm class. I'll try to reproduce without it, but it would be helpful to have.
I modified the OpenEJB ejb-examples for Tomcat to use a custom realm and it is working for me. Attached is the ejb-examples.war file and realm.jar. Place the war in the Tomcat webapps director and realm.jar in the Tomcat lib directory, and then visit http://localhost:8080/ejb-examples URL. Click the secure link and enter the user name manager with password manager.
Here is the code for my CustomRealm: package org.superbiz.servlet; import java.security.Principal; import java.util.Arrays; import org.apache.catalina.realm.RealmBase; import org.apache.catalina.realm.GenericPrincipal; public class CustomRealm extends RealmBase { protected String getName() { return "CustomRealm"; } protected String getPassword(String user) { System.out.println("CustomRealm.getPassword(" + user + ")=" + user); return user; } protected Principal getPrincipal(String user) { GenericPrincipal principal = new GenericPrincipal(this, user, user, Arrays.asList(user, "user")); System.out.println("CustomRealm.getPrincipal(" + user + ")=" + principal); return principal; } } Basically, any user is allowed and the password is the same as the user name. The user is granted the role "user" and a role that has the same name as the user name. The only modification I made to the ejb-example code was to add <Realm className="org.superbiz.servlet.CustomRealm"/> to the context.xml file. You can find the code for ejb-examples at https://svn.apache.org/repos/asf/openejb/trunk/openejb3/examples/webapps/ejb-examples If you are still having problems, I will need your CustomRealm class. Fixed context.xml
Updated and cleaned up test war
I've attached the test-updated.war file which reproduces the problem.
I've seen the examples, but I can't get it to work, so I've attached it and here is how to reproduce: * Just to make sure, I've downloaded a clean tomcat 6.0.18 and placed the openejb.war on the webapps dir * Copy the attached jaas.conf file to tomcat/conf directory, and update the catalina.sh script to include -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf * Deploy the test-updated.war and run the server * Then, navigate to the root of /test-updated and click on the Servlet link. * On the login prompt, any username / password is validated and granted the role 'user' * You'll get a Permission Denied message, as well as the result for the EJB.isCallerInRole("user")=false and the Request.isUserInRole("user")=true What is wrong here? It seems that OpenEJBValve is invoking TomcatSecurityService.enterWebApp() passing the principal obtained from request.getUserPrincipal().
The problem here is that the RealmBase can only determine whether a role is granted if the principal is a GenericPrincipal, but request.getUserPrincipal() checks whether the principal is a GenericPrincipal, and, if yes, returns GenericPrincipal.getUserPrincipal(). This method checks if a custom principal was passed as the user principal, returning it. Since JAASRealm always pass the user principal, the result is that the RealmBase.hasRole() never receives a GenericPrincipal, yielding false. To make the long story short, I think that changing OpenEJBValve to pass request.getPrincipal() instead of request.getUserPrincipal() would fix this issue, but I don't know if there are other implications. Author: dain
Date: Wed Sep 10 20:52:02 2008 New Revision: 694102 URL: http://svn.apache.org/viewvc?rev=694102&view=rev Log: Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService Added basic security and runas tests to Tomcat itests |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Resolved
Major
Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService
