You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Stig Even Larsen (JIRA)" <ji...@apache.org> on 2008/06/17 10:23:45 UTC
[jira] Commented: (GERONIMO-4119) request.isUserInRole("some-role")
always return false after @EJB injection
[ https://issues.apache.org/jira/browse/GERONIMO-4119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12605520#action_12605520 ]
Stig Even Larsen commented on GERONIMO-4119:
--------------------------------------------
In the 2.0.3 SNAPSHOT of 20080616 the malfunction is partially fixed.
After first login (first login after
deployment) the request.isUserInRole(xxx) returns false. If a reload the
page (eg. calling the servlet again) it returns true. If I then
invalidate the session and login in again it returns true (it behaves
normally).
> request.isUserInRole("some-role") always return false after @EJB injection
> --------------------------------------------------------------------------
>
> Key: GERONIMO-4119
> URL: https://issues.apache.org/jira/browse/GERONIMO-4119
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: OpenEJB, Tomcat, web
> Affects Versions: 2.0.2
> Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14
> Reporter: Stig Even Larsen
> Priority: Blocker
>
> Se mailing list discussion: http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html
> To recreate the malfunction you need to do the following:
> 1.Create an EAR with a local session bean and a war
> 2. Use the default console security realm (geronimo-admin) for protecting the {context-path}/protected/* area
> Create a new group named "partnergroup" and add the "system" user to it. Map the "partnergroup" to the partners role in deployment descriptor (geronimo-web.xml)
> 3. Create a simple but form protected(j_security_check) *jsp* page ex: {context-path}/protected/test.jsp.
> {code:title=/protected/test.jsp|borderStyle=solid}
> <%@page contentType="text/html" pageEncoding="UTF-8"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>JSP Test</title>
> </head>
> <body>
> <h2>Role test</h2>
> <%if(request.isUserInRole("partners")){%>
> user is partner :)
> <%}else{%>
> user is NOT partner :(
> <%}%>
> </body>
> </html>
> {code}
> 4. Create s simple Session Bean (EJB) with a simple local method:
> {code:title=TimeUtilsBean.java|borderStyle=solid}
> @Stateless
> public class TimeUtilsBean implements TimeUtilsLocal {
> public String getString() {
> return "Hello from Stateless EJB!";
> }
>
> }
> {code}
> 5. Create a simple but form protected(j_security_check) *Servlet* that uses the local EJB (ex: {context-path}/protected/info)
> {code:title=/protected/Info.java|borderStyle=solid}
> import java.io.*;
> import java.net.*;
> import javax.ejb.EJB;
> import javax.servlet.*;
> import javax.servlet.http.*;
> import javax.naming.*;
> import javax.annotation.security.*;
> import no.nimra.geronimo.test.TimeUtilsLocal;
> import no.nimra.nis.admin.ejb.*;
> @DeclareRoles({"administrators", "partners", "users"})
> public class Info extends HttpServlet {
> @EJB
> private TimeUtilsLocal timeUtilsBean;
>
>
> protected void processRequest(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> response.setContentType("text/html;charset=UTF-8");
> PrintWriter out = response.getWriter();
> out.println("SessionID: " + request.getRequestedSessionId());
> System.out.println("Principal: " + request.getUserPrincipal().getName());
> if (request.isUserInRole("partners")) {
> System.out.println("User has partners-role...");
> out.println("User has partners-role...");
> } else {
> System.out.println("User has NOT partners-role...");
> out.println("User has NOT partners-role...");
> }
> try {
> out.println("<html>");
> out.println("<head>");
> out.println("<title>Servlet Info</title>");
> out.println("</head>");
> out.println("<body>");
> out.println("<h1> " + request.getContextPath() + "</h1>");
> if (request.getUserPrincipal() != null) {
> out.println("Principal: " + request.getUserPrincipal().getName());
> }
> out.println(timeUtilsBean.getString());
> out.println("</body>");
> out.println("</html>");
> } finally {
> out.close();
> }
> }
> protected void doGet(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> processRequest(request, response);
> }
> protected void doPost(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> processRequest(request, response);
> }
> }
> {code}
> Description:
> Access http://{context-path}/protected/test.jsp. After successfull login you will se that your login has "partners" role. As expected.
> If you access the servlet at http://{context-path}/protected/info you will notice that you do not have the "partners" role.
> If you remove the @EJB injection it behaves as expected.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.