Hi,
I'm using the latest Geronimo 2.0 snapshot from the codebase. I understand
that security has changed somewhat from Geronimo 1.2. I'm running into an
issue where I have a JSP with a specific "run-as" role calling a secured
EJB. This JSP has its run-as role defined in the web.xml as follows:
----
<servlet>
<servlet-name>MessagePage</servlet-name>
<jsp-file>/common/Message.jsp</jsp-file>
<run-as>
<role-name>TESTSYSTEM</role-name>
</run-as>
</servlet>
----
I have a default run-as role mapped in my geronimo-application.xml in my
EAR as follows:
----
<security:security>
<security:default-principal>
<security:principal
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="" />
</security:default-principal>
<security:role-mappings>
<security:role role-name="TESTSYSTEM">
<security:principal
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="test-system" designated-run-as="true" />
</security:role>
</security:role-mappings>
</security:security>
----
This used to work in Geronimo 1.2, but it appears now that the JSP does not
run with the run-as principal; rather it seems that it runs with no
principals. Therefore, the call to the secured EJB causes a security
access exception. Is this supposed to work the same way in Geronimo 2.0?
If so, then maybe this is a problem in Tomcat ....
Thanks,
Aman
__________________________________________________________________________________
* This message is intended only for the use of the individual or entity to
which it is addressed, and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. Unless you are
the addressee (or authorized to receive for the addressee), you may not use,
copy or disclose the message or any information contained in the message. If
you have received this message in error, please advise the sender by reply
e-mail , and delete the message, or call (collect) 001 613 747 4698. *
