Only if not in a war
Le 10 mai 2013 23:56, "Louis" <[email protected]> a écrit :
> I found that the I'm getting a 403 because
> TomEERealm.hasResourcePermission()
> compares my logged in role (Administrator) with the only security
> constraint
> that it has within its context (which is 'default'). I would have assumed
> that somehow the @DeclareRoles(value = {"Administrator"}) would have also
> added a security constraint for 'Administrator'. But since only 'default'
> exists, the method returns false for hasRole().
>
> RealmBase.hasResourcePermission() (base class of TomEERealm)
> - roles == [default]
> - principle == GenericPrincipal[tomee(Administrator,)]
>
>
> for (int j = 0; j < roles. length; j++) {
> if (hasRole( null, principal, roles[j])) {
> status = true ;
> if ( log .isDebugEnabled() )
> log .debug( "Role found: " + roles[j]);
> }
> else if ( log.isDebugEnabled() )
> log .debug( "No role found: " + roles[j]);
> }
>
> I then took a look to see how the security constraints are built. Below is
> the only reference I see to adding security roles (and is where the
> 'default' is coming from):
>
> TomcatWsRegistry.createNewContext(ClassLoader, String, String, String,
> String)
> SecurityConstraint sc = new SecurityConstraint();
> sc.addAuthRole( "*" );
> sc.addCollection(collection);
> sc.setAuthConstraint( true );
> sc.setUserConstraint(transportGuarantee);
> context.addConstraint(sc);
> context. addSecurityRole( "default");
>
> Could this have something to do with me deploying my webservice as a jar
> (and not within a war - defining constraints within web.xml)? How else
> would the WS's declared roles be added?
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/webservice-security-basic-auth-tp4662743p4662820.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.
>
