Luis, You can file a JIRA and definitely expect help on this issue from us. Actually, I was going to ask you if setting the Realm for the host/engine worked for you or not?, looks like it worked for you. I am trying to look into it . If you are comfortable, we can keep exchanging emails on the dev list itself . When more eyes look at it, we might get to the solution faster. I will add suport so that tomcat looks under all three levels for the realm. Hopefully, I should be able to figure something out tonight. Gotta run!
I am not a tomcat-openejb expert, but when the email is sent to the list, those experts are definitely watching. :) BTW:- Could you also attach your code to the JIRA issue, this way I will be able to download it and test it if it works or not. On Thu, Aug 21, 2008 at 1:41 PM, Luis Fernando Planella Gonzalez < [EMAIL PROTECTED]> wrote: > Hi All! > After a few days struggling with OpenEJB in Tomcat, and some deep > debugging, > I've 2 conclusions about TomcatSecurityService: > > - When a context uses a specific Realm, TomcatSecurityService ignores it, > using the default host Realm (by default a UserDatabaseRealm). That is > very > annoying, because an user is authenticated in the web layer, but when > accessing an EJB, he is not correctly authenticated. > - At least in the method isCallerInRole, the TomcatSecurityService > implementation does not override the AbstractSecurityService JAAS > implementation, which is wrong IMHO. Since it is based on a Realm, it > should > delegate to Realm.hasRole() method. I don't know if this happens on other > methods too. I could temporarely workarround the first problem by > defining > my realm on the whole host, but this was a showstopper. > > Now, my question: Is this the desired behaviour? Should I raise JIRA issues > for those? I'm starting a project, which will be in development for a few > months. Should I expect a fix for this or should I try to write my custom > SecurityService? > I'm really worried because it's critical for our project. > Perhaps if someone could pass me the contact of a openejb-tomcat > integration > developer, I could exchange a few mails and try to understand this issue. > Thanks very much. > Luis > -- Karan Singh Malhi
