OK, I'll refrase the question:
the secured JSP page calls the secured EJB. Both are inside the same EAR and
both are secured in the same security domain. Both the security constraints
allow access only to users with "role1" role.
JSP has this scriptlet:
<% out.println(request.isUserInRole("role1"));%>
right after it it calls EJB, that has this code in it's method:
System.out.println(sessionContext.isCallerInRole("role1"));
the result: user with role1 granted gets access to both JSP and EJB. JSP
outputs FALSE, while EJB outputs TRUE.
Both deployment descriptors have <security-role-ref> elements like this:
<security-role-ref>
<role-name>role1</role-name>
<role-link>role1</role-link>
</security-role-ref>
and both web.xml and ejb-jar.xml have correct corresponding <security-role>
element for "role1".
Can anybody tell me, what's wrong with web container?
By the way, if I deploy only war (with EJB call removed) onto standalone
Tomcat, configured to use same security realm, the JSP works fine - it outputs
TRUE!
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3873786#3873786
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3873786
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
