users@glassfish.java.net

Re: [Fwd: iiop over http] Using wsse:Usernametoken for role-based authorization

From: Shing Wai Chan <Shing-Wai.Chan_at_Sun.COM>
Date: Thu, 15 Feb 2007 12:54:06 -0800

jon_c wrote:
> Thanks for your reply, Shing.
>
> Since, in my security realm (file), I cannot define a user with the name
> "CN=jon", is there some way that I can still authorize my principal using
>
One should not put "CN=" in the realm. It should be put in
security-role-mapping.
If we use the realm for a ejb application, then the
security-role-mapping should be without "CN=".
The "CN=" is only when we are using WSSE.
> the file realm as my identity store without having to bloat my descriptor
> with <principal-name>CN=userX</principal-name> entries?
>
>
> Shing Wai Chan wrote:
>
>> jon_c wrote:
>>
>>> Okay, to partially answer my own question, I seem to see what is tripping
>>> me
>>> up on this..
>>>
>>> I had a file realm with 'user1' belonging to group 'group1'. In my
>>> deployment descriptor, I had this:
>>> <security-role-mapping>
>>> <role-name>abc</role-name>
>>> <group-name>group1k</group-name>
>>> </security-role-mapping>
>>>
>>> I was expecting sessionContext.getCallerPrincipal().getName() to give me
>>> "user1", since that is what was in the username token of my SOAP message.
>>> Instead it gives me "CN=user1". I'm assuming that this is why my
>>>
>>>
>> In message-layer-security, wsse:UsernameToken uses a different
>> convention in name token.
>> You need to have that "CN=" for all wsse principal names.
>>
>>> authorization was failing, since if I add
>>> <principal-name>CN=user</principal-name> to my decriptor, it seems to
>>> work.
>>> Can anybody tell me why this is? Or point me to an appropriate resource?
>>>
>>> Thank you,
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>>
>
>