Hi All! After a few days struggling with OpenEJB in Tomcat, and some deep debugging, I've 2 conclusions about TomcatSecurityService:
- When a context uses a specific Realm, TomcatSecurityService ignores it, using the default host Realm (by default a UserDatabaseRealm). That is very annoying, because an user is authenticated in the web layer, but when accessing an EJB, he is not correctly authenticated. - At least in the method isCallerInRole, the TomcatSecurityService implementation does not override the AbstractSecurityService JAAS implementation, which is wrong IMHO. Since it is based on a Realm, it should delegate to Realm.hasRole() method. I don't know if this happens on other methods too. I could temporarely workarround the first problem by defining my realm on the whole host, but this was a showstopper. Now, my question: Is this the desired behaviour? Should I raise JIRA issues for those? I'm starting a project, which will be in development for a few months. Should I expect a fix for this or should I try to write my custom SecurityService? I'm really worried because it's critical for our project. Perhaps if someone could pass me the contact of a openejb-tomcat integration developer, I could exchange a few mails and try to understand this issue. Thanks very much. Luis
