users@glassfish.java.net

Re: [Fwd: iiop over http] Using wsse:Usernametoken for role-based authorization

From: jon_c <jon.card_at_gmail.com>
Date: Fri, 16 Feb 2007 08:18:15 -0800 (PST)

Once again, thank you very much.

Does anyone know if this bug is documented somewhere? I did a quick search
in the bug database but did not turn up anything.


Shing Wai Chan wrote:
>
> There is a bug in WSSE side. The group info is missing.
> We are looking into it now.
> In the meantime, there are two ways to achieve the authorization:
> 1. add security-role-mapping for each principal-name
> 2. do not use WSSE, in this case, it will access the WS as an EJB
>
> Thanks for checking this.
> Regards,
> Shing Wai Chan
>
> jon_c wrote:
>> What I would really like to be able to do, and what I am struggling with,
>> is
>> how I can use the groups defined in my file realm to authorize the wsse
>> user
>> (is this possible?).
>>
>> Even though 'user1' is a member of 'group1' in my file realm, this
>> security-role-mapping does not work:
>> <security-role-mapping>
>> <role-name>abc</role-name>
>> <group-name>group1</group-name>
>> </security-role-mapping>
>>
>> I get this exception:
>> Client not authorized for invocation of public final java.lang.String
>> $Proxy75.sayHello() throws java.rmi.RemoteException
>>
>> If possible, I don't want to have to define all of the principals in my
>> security-role-mapping with <principal-name>.
>>
>>
>> Shing Wai Chan wrote:
>>
>>> jon_c wrote:
>>>
>>>> Thanks for your reply, Shing.
>>>>
>>>> Since, in my security realm (file), I cannot define a user with the
>>>> name
>>>> "CN=jon", is there some way that I can still authorize my principal
>>>> using
>>>>
>>>>
>>> One should not put "CN=" in the realm. It should be put in
>>> security-role-mapping.
>>> If we use the realm for a ejb application, then the
>>> security-role-mapping should be without "CN=".
>>> The "CN=" is only when we are using WSSE.
>>>
>>>> the file realm as my identity store without having to bloat my
>>>> descriptor
>>>> with <principal-name>CN=userX</principal-name> entries?
>>>>
>>>>
>>>> Shing Wai Chan wrote:
>>>>
>>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
> 

-- 
View this message in context: http://www.nabble.com/Using-wsse%3AUsernametoken-for-role-based-authorization-tf3231745.html#a9007422
Sent from the java.net - glassfish users mailing list archive at Nabble.com.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.