I noticed some of this recently too.
I think there are at least two things to discuss here:
1. Why is the caller principal (one of the) group principals. In
general, how is the caller principal determined?
-- I'm not sure about the answer to this, I hope to have some time to
investigate soon, but it may be a while.
2. Should getName() from one of our RealmPrincipals return an
explanatory string or just the getName() of the wrapped principal?
-- It makes sense to me to return the name of the wrapped principal.
I think it would be a good idea to file a jira issue on at least the
first of these. With a little discussion we can probably settle (2)
quickly.
Thanks
david jencks
On Jun 9, 2005, at 9:32 PM, Ivan S. Dubrov wrote:
Hello,
I wish to use J2EE security for both Web module and EJB module. So I
configured realm, mapped principals to the security roles, develop
appropriate J2EE deployment descriptors. Declarative role-based
security works perfectly.
When it turns to the programmatic security I have problems determining
logged in user name in the EJB module. In the Web module everything is
OK, I can call request.getUserPrincipal().getName() and it return
authorized user name (for example, "joe"). But when I try to get user
name from the EJB with the EJBContext.getCallerPrincipal().getName(),
I get the following string:
"MyRealm:
[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:
manager]"
I can only get user group from this string, "manager", but not the
user name. So it seems to me that important piece of information, user
identity, is lost while propagating security context from the Web
module to the EJB module.
It looks to me like a design flaw.
Any comments on this? How can I overcome this problem? I do not want
to pass username as a parameter to the EJB, since this is not secure
(user calling EJB can pass somebody else name). Of course, in my case
these calls can be performed only from the Web module, but anyway.
Ivan Dubrov
