|
If you were logged in you would be able to see more operations.
|
|
|
|
File Attachments:
|
| |
Size |
|
ejb-examples.war |
2008-08-23 09:45 PM |
Dain Sundstrom |
28 kB |
|
|
jaas.conf |
2008-08-21 08:06 PM |
Luis Fernando Planella Gonzalez |
0.1 kB |
|
realm.jar |
2008-08-23 09:45 PM |
Dain Sundstrom |
1 kB |
|
|
test-updated.war |
2008-09-03 01:35 PM |
Luis Fernando Planella Gonzalez |
12 kB |
|
|
test.war |
2008-08-25 12:44 PM |
Luis Fernando Planella Gonzalez |
18 kB |
|
|
test.war |
2008-08-21 08:06 PM |
Luis Fernando Planella Gonzalez |
18 kB |
|
|
Environment:
|
Ubuntu Linux 8.04, i386
|
|
| Resolution Date: |
20/Oct/08 12:49 PM
|
TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
Attached, is a war file and a jaas configuration file, which should have the system property java.security.auth.login.config set to it.
To test, first authenticate by visiting http://localhost:8080/test/protected.jsp. Any username / password is validated, and the "user" role is granted. Then browse to http://localhost:8080/test/test, and a permission denied exception is thrown, because the role "user" is not granted.
Another test is comment the @RolesAllowed("user") in TestServiceBean.sayHello() method. In this case, the isCallerInRole("user") is alwais false.
|
|
Description
|
TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
Attached, is a war file and a jaas configuration file, which should have the system property java.security.auth.login.config set to it.
To test, first authenticate by visiting http://localhost:8080/test/protected.jsp. Any username / password is validated, and the "user" role is granted. Then browse to http://localhost:8080/test/test, and a permission denied exception is thrown, because the role "user" is not granted.
Another test is comment the @RolesAllowed("user") in TestServiceBean.sayHello() method. In this case, the isCallerInRole("user") is alwais false. |
Show » |
made changes - 21/Aug/08 08:06 PM
| Field |
Original Value |
New Value |
|
Attachment
|
|
jaas.conf
[ 12388691
]
|
|
Attachment
|
|
test.war
[ 12388690
]
|
made changes - 21/Aug/08 08:10 PM
|
Description
|
TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
|
TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
Attached, is a war file and a jaas configuration file, which should have the system property java.security.auth.login.config set to it.
To test, first authenticate by visiting http://localhost:8080/test/protected.jsp. Any username / password is validated, and the "user" role is granted. Then browse to http://localhost:8080/test/test, and a permission denied exception is thrown, because the role "user" is not granted.
Another test is comment the @RolesAllowed("user") in TestServiceBean.sayHello() method. In this case, the isCallerInRole("user") is alwais false.
|
made changes - 23/Aug/08 09:45 PM
|
Attachment
|
|
realm.jar
[ 12388804
]
|
made changes - 25/Aug/08 12:44 PM
|
Attachment
|
|
test.war
[ 12388841
]
|
made changes - 20/Oct/08 12:49 PM
|
Resolution
|
|
Fixed
[ 1
]
|
|
Status
|
Open
[ 1
]
|
Resolved
[ 5
]
|
made changes - 29/Oct/08 07:34 PM
|
Fix Version/s
|
|
3.1
[ 12312761
]
|
|
Assignee
|
|
Dain Sundstrom
[ dain
]
|
|
Summary
|
TomcatSecurityService should use the context-specific Realm
|
Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService
|
|
Bug
Resolved
Major
Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService
