You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Luis Fernando Planella Gonzalez (JIRA)" <ji...@apache.org> on 2008/09/03 15:49:44 UTC

[jira] Commented: (OPENEJB-901) TomcatSecurityService should use the context-specific Realm

    [ https://issues.apache.org/jira/browse/OPENEJB-901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12627999#action_12627999 ] 

Luis Fernando Planella Gonzalez commented on OPENEJB-901:
---------------------------------------------------------

I've attached the test-updated.war file which reproduces the problem.
I've seen the examples, but I can't get it to work, so I've attached it and here is how to reproduce:
* Just to make sure, I've downloaded a clean tomcat 6.0.18 and placed the openejb.war on the webapps dir
* Copy the attached jaas.conf file to tomcat/conf directory, and update the catalina.sh script to include -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf
* Deploy the test-updated.war and run the server
* Then, navigate to the root of /test-updated and click on the Servlet link.
* On the login prompt, any username / password is validated and granted the role 'user'
* You'll get a Permission Denied message, as well as the result for the EJB.isCallerInRole("user")=false and the Request.isUserInRole("user")=true
What is wrong here?

> TomcatSecurityService should use the context-specific Realm
> -----------------------------------------------------------
>
>                 Key: OPENEJB-901
>                 URL: https://issues.apache.org/jira/browse/OPENEJB-901
>             Project: OpenEJB
>          Issue Type: Bug
>          Components: tomcat
>    Affects Versions: 3.0
>         Environment: Ubuntu Linux 8.04, i386
>            Reporter: Luis Fernando Planella Gonzalez
>         Attachments: ejb-examples.war, jaas.conf, realm.jar, test-updated.war, test.war, test.war
>
>
> TomcatSecurityService currently uses only the default container Realm to authenticate users, ignoring a context-defined Realm.
> So, an user is correctly authenticated on the web application (for example, through j_security_check), but is not correctly authenticated in EJBs.
> Attached, is a war file and a jaas configuration file, which should have the system property java.security.auth.login.config set to it.
> To test, first authenticate by visiting http://localhost:8080/test/protected.jsp. Any username / password is validated, and the "user" role is granted. Then browse to http://localhost:8080/test/test, and a permission denied exception is thrown, because the role "user" is not granted.
> Another test is comment the @RolesAllowed("user") in TestServiceBean.sayHello() method. In this case, the isCallerInRole("user") is alwais false.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.