Hello, I wish to use J2EE security for both Web module and EJB module. So I configured realm, mapped principals to the security roles, develop appropriate J2EE deployment descriptors. Declarative role-based security works perfectly.
When it turns to the programmatic security I have problems determining logged in user name in the EJB module. In the Web module everything is OK, I can call request.getUserPrincipal().getName() and it return authorized user name (for example, "joe"). But when I try to get user name from the EJB with the EJBContext.getCallerPrincipal().getName(), I get the following string: "MyRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:manager]" I can only get user group from this string, "manager", but not the user name. So it seems to me that important piece of information, user identity, is lost while propagating security context from the Web module to the EJB module. It looks to me like a design flaw. Any comments on this? How can I overcome this problem? I do not want to pass username as a parameter to the EJB, since this is not secure (user calling EJB can pass somebody else name). Of course, in my case these calls can be performed only from the Web module, but anyway. Ivan Dubrov
