users@glassfish.java.net

Re: [Fwd: iiop over http] Using wsse:Usernametoken for role-based authorization

From: Shing Wai Chan <Shing-Wai.Chan_at_Sun.COM>
Date: Thu, 15 Feb 2007 16:55:10 -0800

There is a bug in WSSE side. The group info is missing.
We are looking into it now.
In the meantime, there are two ways to achieve the authorization:
1. add security-role-mapping for each principal-name
2. do not use WSSE, in this case, it will access the WS as an EJB

Thanks for checking this.
Regards,
      Shing Wai Chan

jon_c wrote:
> What I would really like to be able to do, and what I am struggling with, is
> how I can use the groups defined in my file realm to authorize the wsse user
> (is this possible?).
>
> Even though 'user1' is a member of 'group1' in my file realm, this
> security-role-mapping does not work:
> <security-role-mapping>
> <role-name>abc</role-name>
> <group-name>group1</group-name>
> </security-role-mapping>
>
> I get this exception:
> Client not authorized for invocation of public final java.lang.String
> $Proxy75.sayHello() throws java.rmi.RemoteException
>
> If possible, I don't want to have to define all of the principals in my
> security-role-mapping with <principal-name>.
>
>
> Shing Wai Chan wrote:
>
>> jon_c wrote:
>>
>>> Thanks for your reply, Shing.
>>>
>>> Since, in my security realm (file), I cannot define a user with the name
>>> "CN=jon", is there some way that I can still authorize my principal using
>>>
>>>
>> One should not put "CN=" in the realm. It should be put in
>> security-role-mapping.
>> If we use the realm for a ejb application, then the
>> security-role-mapping should be without "CN=".
>> The "CN=" is only when we are using WSSE.
>>
>>> the file realm as my identity store without having to bloat my descriptor
>>> with <principal-name>CN=userX</principal-name> entries?
>>>
>>>
>>> Shing Wai Chan wrote:
>>>
>>>