Hi, Apparently, the problem is not a failure of the role permission verification, but a problem of a null user authentication. I mean, I set the run-as role in my web.xml, but since I didn't defined any authentication in my web application, the principal was always null.
I imagine the workflow something like this: 1) User authentication 2) role permission So, if the in step 1) there isn't any user, the role permission verification in 2) will always fail, probably because of this: | java.security.Principal getCallerPrincipal() | boolean isCallerInRole(String roleName) | I workaround this by setting a dummy user in login-config.xml for the "other" profile to avoid the null principal: | <authentication> | <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" | flag = "required" > | <module-option name = "unauthenticatedIdentity">nobody</module-option> | | </login-module> | </authentication> | So, I would like to ask a new question: -How can I set a Principal in my servlet code for the JAAS authentication in a programatic way? If the Principal is null, then I set a dummy Principal, and using the "run-as" element in web.xml, I could solved the problem... The advantage is avoiding a specific JBOSS configuration, even I'm developing for JBOSS. Regards, Pedro Salazar. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3840966#3840966 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3840966 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
