[jira] [Resolved] (TOMEE-1191) Contextual realm is ignored when protecting EJB

[Romain Manni-Bucau (JIRA)]

     [ 
https://issues.apache.org/jira/browse/TOMEE-1191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Romain Manni-Bucau resolved TOMEE-1191.
---------------------------------------
       Resolution: Fixed
    Fix Version/s: 1.7.0
                   7.0.0-M1

> Contextual realm is ignored when protecting EJB
> -----------------------------------------------
>
>                 Key: TOMEE-1191
>                 URL: https://issues.apache.org/jira/browse/TOMEE-1191
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 1.6.0.1
>         Environment: Windows 7 64 bit, Eclipse EE Kepler
>            Reporter: Artyom Karalov
>             Fix For: 7.0.0-M1, 1.7.0
>
>
> 1. I created new web application including EJBs
> 2. I defined context level realm in META-INF/context.xml 
> <Context reloadable="true" antiJARLocking="true">
>         <Realm className="org.apache.catalina.realm.DataSourceRealm" 
>                 localDataSource="true" dataSourceName="myDatasource" ... />
> </Context>
> 3. I protected web part in WEB-INF/web.xml and able to login with my database 
> user
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xmlns="http://java.sun.com/xml/ns/javaee";
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; id="srm" version="3.0">
>         <welcome-file-list>
>                 <welcome-file>index.jsp</welcome-file>
>         </welcome-file-list>
>         <servlet>
>                 <servlet-name>ServerServlet</servlet-name>
>                 
> <servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class>
>         </servlet>
>         <servlet-mapping>
>                 <servlet-name>ServerServlet</servlet-name>
>                 <url-pattern>/ejb/*</url-pattern>
>         </servlet-mapping>
>         <security-constraint>
>                 <web-resource-collection>
>                         <web-resource-name>srm</web-resource-name>
>                         <url-pattern>/*</url-pattern>
>                         <http-method>GET</http-method>
>                 </web-resource-collection>                
>                 <auth-constraint>
>                         <role-name>admin</role-name>
>                 </auth-constraint>
>         </security-constraint>
>         <login-config>
>                 <auth-method>BASIC</auth-method>
>                 <realm-name>Authentication required</realm-name>
>         </login-config>
>         <security-role>
>                 <role-name>admin</role-name>
>         </security-role>
> </web-app>
> 4. When protecting EJB (annotated with @DeclareRoles, @RolesAllowed) and 
> calling it remotely - default realm is used instead (from server.xml)
> Properties p = new Properties(); 
> p.put("java.naming.factory.initial", 
> "org.apache.openejb.client.RemoteInitialContextFactory"); 
> p.put("java.naming.provider.url", "http://localhost:8080/srm/ejb";); 
> p.put("java.naming.security.principal", "tomee"); 
> p.put("java.naming.security.credentials", "tomee"); 
> InitialContext ctx = new InitialContext(p); 
> SecuredBeanRemote myBean = 
> (SecuredBeanRemote)ctx.lookup("SecuredBeanRemote"); 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)