[OPENEJB-901] Fixed broken isCallerInRole when using Tomcat JAASRealm with the TomcatSecurityService - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0
Fix Version/s: 3.1
Component/s: tomee
Labels:
None
Environment:
Ubuntu Linux 8.04, i386

Description

TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
Attached, is a war file and a jaas configuration file, which should have the system property java.security.auth.login.config set to it.
To test, first authenticate by visiting http://localhost:8080/test/protected.jsp. Any username / password is validated, and the "user" role is granted. Then browse to http://localhost:8080/test/test, and a permission denied exception is thrown, because the role "user" is not granted.
Another test is comment the @RolesAllowed("user") in TestServiceBean.sayHello() method. In this case, the isCallerInRole("user") is alwais false.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

test-updated.war
03/Sep/08 13:35
12 kB
Luis Fernando Planella Gonzalez
test.war
21/Aug/08 20:06
18 kB
Luis Fernando Planella Gonzalez
test.war
25/Aug/08 12:44
18 kB
Luis Fernando Planella Gonzalez
realm.jar
23/Aug/08 21:45
1 kB
Dain Sundstrom
jaas.conf
21/Aug/08 20:06
0.1 kB
Luis Fernando Planella Gonzalez
ejb-examples.war
23/Aug/08 21:45
28 kB
Dain Sundstrom

Activity

People

Assignee:: Dain Sundstrom

Reporter:: Luis Fernando Planella Gonzalez

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 21/Aug/08 19:44

Updated:: 29/Oct/08 19:53

Resolved:: 20/Oct/08 12:49