Re: TomcatSecurityService

Mon, 08 Sep 2008 06:13:47 -0700 

Hi, sorry for insisting on the subject, but my deadline for security in the
project is getting close...

Can someone, please, tell me what's wrong in my code?

Here is the servlet:


public class TestServlet extends HttpServlet {
    private static final long serialVersionUID = -8840939476659309738L;

    @EJB
    private TestService testService;
    
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
        resp.setContentType("text/html");
        resp.setCharacterEncoding("utf-8");
        PrintWriter writer = resp.getWriter();
        try {
            writer.println(testService.sayHello(req.getParameter("name")) +
"<br>");
        } catch (EJBAccessException e) {
            writer.println("Permission denied<br>");
            writer.println("@EJB.isUserInRole(\"user\")=" +
testService.hasUserRole() + "<br>");
            writer.println("Request.isUserInRole(\"user\")=" +
req.isUserInRole("user") + "<br>");
        }
        resp.flushBuffer();
    }   
}

The EJB is as simple as:


@Stateless
@DeclareRoles("user")
public class TestServiceBean implements TestService {

    @Resource
    private SessionContext context;
    
    @RolesAllowed("user")
    public String sayHello(String name) {
        return "Hello, " + name + ", your principal is " +
context.getCallerPrincipal().getName();
    }
    
    public boolean hasUserRole() {
        return context.isCallerInRole("user");
    }
}

The tomcat realm is a JAASRealm with a login module that always validates
the user and grants the 'user' role.

After a successful login, on the servlet, an EJBAccessException is always
thrown, and the weird part is that the tomcat realm (as seen on
request.isUserInRole('user')) is using the login information correcly, but
the EJB is not. That's why I've reported 
http://issues.apache.org/jira/browse/OPENEJB-902 another issue  where I said
that the TomcatSecurityService should delegate the isCallerInRole() to
realm.hasRole(), but, as 
http://www.nabble.com/Re%3A-TomcatSecurityService-p19125345.html stated
previously by Dain , this is done under the hood by the JACC implementation.

Sorry for the long post, but this is my last attempt for a "correct"
solution for this problem, before trying something nasty...
-- 
View this message in context: 
http://www.nabble.com/TomcatSecurityService-tp19093534p19371735.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Reply via email to