Sorry, I haven't responded earlier... been kinda off the grid lately.
This is really weird. The code is designed to pickup the real
associated the web app and propagate it to the EJB container (see
TomcatSecurityService.enterWebApp(Realm realm, Principal principal,
String runAs). The defaultRealm in the code is only used for EJB
calls from a remote VM.
As you mentioned TomcatSecurityService should override
isCallerInRole() which is part of the problem you are seeing, but I'm
not sure it is all of it. I also like your idea of using the realm
name to choose the Tomcat real to pick.
I'll implement both of those this weekend. I'll also check out the
test case you provided and hopefully will be able to get it working.
-dain
On Aug 21, 2008, at 1:11 PM, Luis Fernando Planella Gonzalez wrote:
Hello Karan.
Here is the issue regarding context-specific realm:
https://issues.apache.org/jira/browse/OPENEJB-901
It has a war file attached, and instructions on how to reproduce.
I've managed to use my JAASRealm as default realm, but it didn't
work as
expected, because, for example, isCallerInRole() does not uses the
Realm.hasRole() method, hence it didn't work as expected. For that,
I've
registered another issue: https://issues.apache.org/jira/browse/OPENEJB-902
.
Thanks.
Luis Fernando Planella Gonzalez
[EMAIL PROTECTED]
Karan Malhi escreveu:
Luis,
You can file a JIRA and definitely expect help on this issue from us.
Actually, I was going to ask you if setting the Realm for the host/
engine
worked for you or not?, looks like it worked for you. I am trying
to look
into it . If you are comfortable, we can keep exchanging emails on
the dev
list itself . When more eyes look at it, we might get to the solution
faster. I will add suport so that tomcat looks under all three
levels for
the realm. Hopefully, I should be able to figure something out
tonight.
Gotta run!
I am not a tomcat-openejb expert, but when the email is sent to the
list,
those experts are definitely watching. :)
BTW:- Could you also attach your code to the JIRA issue, this way I
will be
able to download it and test it if it works or not.
On Thu, Aug 21, 2008 at 1:41 PM, Luis Fernando Planella Gonzalez <
[EMAIL PROTECTED]> wrote:
Hi All!
After a few days struggling with OpenEJB in Tomcat, and some deep
debugging,
I've 2 conclusions about TomcatSecurityService:
- When a context uses a specific Realm, TomcatSecurityService
ignores it,
using the default host Realm (by default a UserDatabaseRealm).
That is
very
annoying, because an user is authenticated in the web layer, but
when
accessing an EJB, he is not correctly authenticated.
- At least in the method isCallerInRole, the TomcatSecurityService
implementation does not override the AbstractSecurityService JAAS
implementation, which is wrong IMHO. Since it is based on a
Realm, it
should
delegate to Realm.hasRole() method. I don't know if this happens
on other
methods too. I could temporarely workarround the first problem by
defining
my realm on the whole host, but this was a showstopper.
Now, my question: Is this the desired behaviour? Should I raise
JIRA issues
for those? I'm starting a project, which will be in development
for a few
months. Should I expect a fix for this or should I try to write my
custom
SecurityService?
I'm really worried because it's critical for our project.
Perhaps if someone could pass me the contact of a openejb-tomcat
integration
developer, I could exchange a few mails and try to understand this
issue.
Thanks very much.
Luis
