Thanks for your reply, Shing.
Since, in my security realm (file), I cannot define a user with the name
"CN=jon", is there some way that I can still authorize my principal using
the file realm as my identity store without having to bloat my descriptor
with <principal-name>CN=userX</principal-name> entries?
Shing Wai Chan wrote:
>
> jon_c wrote:
>> Okay, to partially answer my own question, I seem to see what is tripping
>> me
>> up on this..
>>
>> I had a file realm with 'user1' belonging to group 'group1'. In my
>> deployment descriptor, I had this:
>> <security-role-mapping>
>> <role-name>abc</role-name>
>> <group-name>group1k</group-name>
>> </security-role-mapping>
>>
>> I was expecting sessionContext.getCallerPrincipal().getName() to give me
>> "user1", since that is what was in the username token of my SOAP message.
>> Instead it gives me "CN=user1". I'm assuming that this is why my
>>
> In message-layer-security, wsse:UsernameToken uses a different
> convention in name token.
> You need to have that "CN=" for all wsse principal names.
>> authorization was failing, since if I add
>> <principal-name>CN=user</principal-name> to my decriptor, it seems to
>> work.
>> Can anybody tell me why this is? Or point me to an appropriate resource?
>>
>> Thank you,
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>
--
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authorization-tf3231745.html#a8993040
Sent from the java.net - glassfish users mailing list archive at Nabble.com.