I've tried the examples Dain attached on the jira issue and they do work.
So, I've just decided to make my hands dirty and I've download both tomcat
6.0.18 and openejb 3.0 source code.
To me, the key point seems the class org.apache.catalina.realm.RealmBase, on
line 852, method hasRole(Principal, String).
It is only able to determine whether the given principal has the given role
if the principal is an instance of
org.apache.catalina.realm.GenericPrincipal.
My proposed solution: When OpenEJBValve invokes
TomcatSecurityService.enterWebApp() on line 41, request.getPrincipal()
should passed instead of request.getUserPrincipal(). I think it would work,
because org.apache.catalina.connector.Request.getUserPrincipal() checks if
principal is a GenericPrincipal, returning
GenericPrincipal.getUserPrincipal(), which leads to the problem I related
before, of not having the GenericPrincipal itself.
Is this an acceptable solution or it have other implications?
--
Luis Fernando Planella Gonzalez
2008/9/8 David Blevins <[EMAIL PROTECTED]>
>
> On Sep 8, 2008, at 6:13 AM, Luis F. Planella Gonzalez wrote:
>
> The tomcat realm is a JAASRealm with a login module that always validates
>> the user and grants the 'user' role.
>>
>> After a successful login, on the servlet, an EJBAccessException is always
>> thrown, and the weird part is that the tomcat realm (as seen on
>> request.isUserInRole('user')) is using the login information correcly, but
>> the EJB is not. That's why I've reported
>> http://issues.apache.org/jira/browse/OPENEJB-902 another issue where I
>> said
>> that the TomcatSecurityService should delegate the isCallerInRole() to
>> realm.hasRole(), but, as
>> http://www.nabble.com/Re%3A-TomcatSecurityService-p19125345.html stated
>> previously by Dain , this is done under the hood by the JACC
>> implementation.
>>
>
> Hi Luis,
>
> Looking at Dain's response it seems like the ejb isCallerInRole ultimate
> does delegate to user.getRealm().hasRole(user.getTomcatPrincipal(),
> logicalRole) to determine if a user has a role. Looking at your reply it
> wasn't clear to me if you tried the example Dain made. Where you able to
> get that to work? That would help us determine where the issue might be.
>
> -David
>
>
