I'll try changing the code to use request.getPrincipal() and see what
happens.
-dain
On Sep 9, 2008, at 8:04 AM, Luis Fernando Planella Gonzalez wrote:
Just to point out why Dain's example works:
The CustomRealm creates a GenericPrincipal without specifying the
userPrincipal constructor argument. This maks the
GenericPrincipal.getUserPrincipal() method return the GenericPrincipal
itself.
My problem is that JAASRealm always constructs a GenericPrincipal
specifying
the userPrincipal argument...
So, I'll just emphatize what I said in my last post: invoking
request.getPrincipal() instead of request.getUserPrincipal() in
OpenEJBValve
should fix it, but I don't know if there are other implications.
--
Luis Fernando Planella Gonzalez
2008/9/9 Luis Fernando Planella Gonzalez <[EMAIL PROTECTED]>
I've tried the examples Dain attached on the jira issue and they do
work.
So, I've just decided to make my hands dirty and I've download both
tomcat
6.0.18 and openejb 3.0 source code.
To me, the key point seems the class
org.apache.catalina.realm.RealmBase,
on line 852, method hasRole(Principal, String).
It is only able to determine whether the given principal has the
given role
if the principal is an instance of
org.apache.catalina.realm.GenericPrincipal.
My proposed solution: When OpenEJBValve invokes
TomcatSecurityService.enterWebApp() on line 41,
request.getPrincipal()
should passed instead of request.getUserPrincipal(). I think it
would work,
because org.apache.catalina.connector.Request.getUserPrincipal()
checks if
principal is a GenericPrincipal, returning
GenericPrincipal.getUserPrincipal(), which leads to the problem I
related
before, of not having the GenericPrincipal itself.
Is this an acceptable solution or it have other implications?
--
Luis Fernando Planella Gonzalez
2008/9/8 David Blevins <[EMAIL PROTECTED]>
On Sep 8, 2008, at 6:13 AM, Luis F. Planella Gonzalez wrote:
The tomcat realm is a JAASRealm with a login module that always
validates
the user and grants the 'user' role.
After a successful login, on the servlet, an EJBAccessException
is always
thrown, and the weird part is that the tomcat realm (as seen on
request.isUserInRole('user')) is using the login information
correcly,
but
the EJB is not. That's why I've reported
http://issues.apache.org/jira/browse/OPENEJB-902 another issue
where I
said
that the TomcatSecurityService should delegate the
isCallerInRole() to
realm.hasRole(), but, as
http://www.nabble.com/Re%3A-TomcatSecurityService-p19125345.html
stated
previously by Dain , this is done under the hood by the JACC
implementation.
Hi Luis,
Looking at Dain's response it seems like the ejb isCallerInRole
ultimate
does delegate to user.getRealm().hasRole(user.getTomcatPrincipal(),
logicalRole) to determine if a user has a role. Looking at your
reply it
wasn't clear to me if you tried the example Dain made. Where you
able to
get that to work? That would help us determine where the issue
might be.
-David
