Hi, I'm using the latest Geronimo 2.0 snapshot from the codebase. I understand that security has changed somewhat from Geronimo 1.2. I'm running into an issue where I have a JSP with a specific "run-as" role calling a secured EJB. This JSP has its run-as role defined in the web.xml as follows:
---- <servlet> <servlet-name>MessagePage</servlet-name> <jsp-file>/common/Message.jsp</jsp-file> <run-as> <role-name>TESTSYSTEM</role-name> </run-as> </servlet> ---- I have a default run-as role mapped in my geronimo-application.xml in my EAR as follows: ---- <security:security> <security:default-principal> <security:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="" /> </security:default-principal> <security:role-mappings> <security:role role-name="TESTSYSTEM"> <security:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="test-system" designated-run-as="true" /> </security:role> </security:role-mappings> </security:security> ---- This used to work in Geronimo 1.2, but it appears now that the JSP does not run with the run-as principal; rather it seems that it runs with no principals. Therefore, the call to the secured EJB causes a security access exception. Is this supposed to work the same way in Geronimo 2.0? If so, then maybe this is a problem in Tomcat .... Thanks, Aman __________________________________________________________________________________ * This message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose the message or any information contained in the message. If you have received this message in error, please advise the sender by reply e-mail , and delete the message, or call (collect) 001 613 747 4698. *