DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9027>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9027 The Tomcat Servlet Container use the identity specified in a servlet with the element <run-as> for every web component. Summary: The Tomcat Servlet Container use the identity specified in a servlet with the element <run-as> for every web component. Product: Tomcat 4 Version: 4.0.1 Final Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: Other Component: Servlet & JSP API AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The Tomcat Servlet Container use the identity specified in a servlet with the element <run-as> for every web component. This identity should only be used for calls in the specified servlet and not for calls in other web components. In my opinion this is a fatal error. The following test szenario could be used to detect the error (I use the J2EE Reference Implementation from Sun). 1.) create an EJB archive with the session bean TestEJB 2.) insert the JSP test.jsp and testRunAs.jsp in an web-archive 3.) modify the security for the JSP shown in the deployment descriptor web.xml 4.) modify the caller-id of the JSP testRunAs.jsp to the role 'eng' and the user 'scott' 5.) deploy the application 6.) request the test.jsp and testRunAs.jsp with the username j2ee/j2ee. The caller of the EJB is always the one, who is specified for testRunAs.jsp, that means 'scott'. A request to test.jsp should use the authenticated user (j2ee). ----------------------------------------------------------------- JSP Testfile: 'test.jsp' ----------------------------------------------------------------- <html> <head> <title>test</title> <%@ page import="de.j2eeguru.example.Test" %> <%@ page import="de.j2eeguru.example.TestHome" %> <%@ page import="javax.naming.InitialContext" %> <%@ page import="javax.rmi.PortableRemoteObject" %> </head> <body> <p>Identity of the user in test.jsp: <%= request.getRemoteUser() %></p> <p> Identity of the EJB caller: <% String callerID="???"; try { // JNDI-Kontext ermitteln InitialContext ctx = new InitialContext(); // JNDI-Namen nachschlagen Object ref = ctx.lookup("de/ejbguru/test"); // in Home-Interface umwandeln TestHome testHome = (TestHome) PortableRemoteObject.narrow(ref, TestHome.class); // EJB erzeugen und Referenz auf Remote-Interface ermitteln Test test = testHome.create(); // Business-Methode vom EJB ausführen callerID = test.getUserName(); // Remote-Interface wird nicht mehr benötigt test.remove(); } catch(Exception ex) { ex.printStackTrace(); callerID = "Fehler aufgetreten:" + ex.getMessage(); } %> <%= callerID %> </p> </body> </html> ----------------------------------------------------------------- JSP Testfile: 'testRunAs.jsp' (in fact the same as test.jsp) ----------------------------------------------------------------- <html> <head> <title>test</title> <%@ page import="de.j2eeguru.example.Test" %> <%@ page import="de.j2eeguru.example.TestHome" %> <%@ page import="javax.naming.InitialContext" %> <%@ page import="javax.rmi.PortableRemoteObject" %> </head> <body> <p>Identity of the user in testRunAs.jsp: <%= request.getRemoteUser() %></p> <p> Identity of the EJB caller: <% String callerID="???"; try { // JNDI-Kontext ermitteln InitialContext ctx = new InitialContext(); // JNDI-Namen nachschlagen Object ref = ctx.lookup("de/ejbguru/test"); // in Home-Interface umwandeln TestHome testHome = (TestHome) PortableRemoteObject.narrow(ref, TestHome.class); // EJB erzeugen und Referenz auf Remote-Interface ermitteln Test test = testHome.create(); // Business-Methode vom EJB ausführen callerID = test.getUserName(); // Remote-Interface wird nicht mehr benötigt test.remove(); } catch(Exception ex) { ex.printStackTrace(); callerID = "Fehler aufgetreten:" + ex.getMessage(); } %> <%= callerID %> </p> </body> </html> ----------------------------------------------------------------- WEB.XML: ----------------------------------------------------------------- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'> <web-app> <display-name>RunAsWebApp</display-name> <servlet> <servlet-name>test</servlet-name> <display-name>test</display-name> <jsp-file>/test.jsp</jsp-file> </servlet> <servlet> <servlet-name>testRunAs</servlet-name> <display-name>testRunAs</display-name> <jsp-file>/testRunAs.jsp</jsp-file> <run-as> <role-name>eng</role-name> </run-as> </servlet> <session-config> <session-timeout>30</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>WRCollection</web-resource-name> <url-pattern>/test.jsp</url-pattern> <url-pattern>/testRunAs.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>mgr</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Default</realm-name> </login-config> <security-role> <role-name>eng</role-name> </security-role> <security-role> <role-name>mgr</role-name> </security-role> </web-app> ----------------------------------------------------------------- TestEJB.java ----------------------------------------------------------------- package de.j2eeguru.example; import javax.ejb.SessionBean; import javax.ejb.EJBException; import javax.ejb.CreateException; import javax.ejb.SessionContext; /* * Stateless-Session-Bean 'TestEJB' */ public class TestEJB implements SessionBean { private SessionContext sctx = null; //------------------------------------------------------------ // Implementierung der Business-Methoden //------------------------------------------------------------ public String getUserName() { return sctx.getCallerPrincipal().getName(); } //------------------------------------------------------------ // Implementierung der create-Methode //------------------------------------------------------------ public void ejbCreate() throws CreateException { } //------------------------------------------------------------ // Implementierung des Interface 'javax.ejb.SessionBean' //------------------------------------------------------------ public void setSessionContext( SessionContext sctx ) { this.sctx = sctx; } public void ejbRemove() { } public void ejbActivate() { } public void ejbPassivate() { } } ----------------------------------------------------------------- TestEJB.java ----------------------------------------------------------------- package de.j2eeguru.example; import java.rmi.RemoteException; import javax.ejb.EJBObject; /* * Remote-Interface für das Session-Bean 'TestEJB' */ public interface Test extends EJBObject { public String getUserName() throws RemoteException; } ----------------------------------------------------------------- TestHomeEJB.java ----------------------------------------------------------------- package de.j2eeguru.example; import java.rmi.RemoteException; import javax.ejb.EJBHome; import javax.ejb.CreateException; /** * Home-Interface für das Session-Bean 'TestEJB'. */ public interface TestHome extends EJBHome { public Test create() throws CreateException, RemoteException; } -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
