[
https://issues.apache.org/jira/browse/OPENEJB-901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Blevins updated OPENEJB-901:
----------------------------------
Fix Version/s: 3.1
Assignee: Dain Sundstrom
Summary: Fixed broken isCallerInRole when using Tomcat JAASRealm with
the TomcatSecurityService (was: TomcatSecurityService should use the
context-specific Realm)
> Fixed broken isCallerInRole when using Tomcat JAASRealm with the
> TomcatSecurityService
> --------------------------------------------------------------------------------------
>
> Key: OPENEJB-901
> URL: https://issues.apache.org/jira/browse/OPENEJB-901
> Project: OpenEJB
> Issue Type: Bug
> Components: tomcat
> Affects Versions: 3.0
> Environment: Ubuntu Linux 8.04, i386
> Reporter: Luis Fernando Planella Gonzalez
> Assignee: Dain Sundstrom
> Fix For: 3.1
>
> Attachments: ejb-examples.war, jaas.conf, realm.jar,
> test-updated.war, test.war, test.war
>
>
> TomcatSecurityService currently uses only the default container Realm to
> authenticate users, ignoring a context-defined Realm.
> So, an user is correctly authenticated on the web application (for example,
> through j_security_check), but is not correctly authenticated in EJBs.
> Attached, is a war file and a jaas configuration file, which should have the
> system property java.security.auth.login.config set to it.
> To test, first authenticate by visiting
> http://localhost:8080/test/protected.jsp. Any username / password is
> validated, and the "user" role is granted. Then browse to
> http://localhost:8080/test/test, and a permission denied exception is thrown,
> because the role "user" is not granted.
> Another test is comment the @RolesAllowed("user") in
> TestServiceBean.sayHello() method. In this case, the isCallerInRole("user")
> is alwais false.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
