jon_c wrote:
> Once again, thank you very much.
>
> Does anyone know if this bug is documented somewhere? I did a quick search
> in the bug database but did not turn up anything.
>
>
It is GlassFish issue 2434.
> Shing Wai Chan wrote:
>
>> There is a bug in WSSE side. The group info is missing.
>> We are looking into it now.
>> In the meantime, there are two ways to achieve the authorization:
>> 1. add security-role-mapping for each principal-name
>> 2. do not use WSSE, in this case, it will access the WS as an EJB
>>
>> Thanks for checking this.
>> Regards,
>> Shing Wai Chan
>>
>> jon_c wrote:
>>
>>> What I would really like to be able to do, and what I am struggling with,
>>> is
>>> how I can use the groups defined in my file realm to authorize the wsse
>>> user
>>> (is this possible?).
>>>
>>> Even though 'user1' is a member of 'group1' in my file realm, this
>>> security-role-mapping does not work:
>>> <security-role-mapping>
>>> <role-name>abc</role-name>
>>> <group-name>group1</group-name>
>>> </security-role-mapping>
>>>
>>> I get this exception:
>>> Client not authorized for invocation of public final java.lang.String
>>> $Proxy75.sayHello() throws java.rmi.RemoteException
>>>
>>> If possible, I don't want to have to define all of the principals in my
>>> security-role-mapping with <principal-name>.
>>>
>>>
>>> Shing Wai Chan wrote:
>>>
>>>
>>>> jon_c wrote:
>>>>
>>>>
>>>>> Thanks for your reply, Shing.
>>>>>
>>>>> Since, in my security realm (file), I cannot define a user with the
>>>>> name
>>>>> "CN=jon", is there some way that I can still authorize my principal
>>>>> using
>>>>>
>>>>>
>>>>>
>>>> One should not put "CN=" in the realm. It should be put in
>>>> security-role-mapping.
>>>> If we use the realm for a ejb application, then the
>>>> security-role-mapping should be without "CN=".
>>>> The "CN=" is only when we are using WSSE.
>>>>
>>>>
>>>>> the file realm as my identity store without having to bloat my
>>>>> descriptor
>>>>> with <principal-name>CN=userX</principal-name> entries?
>>>>>
>>>>>
>>>>> Shing Wai Chan wrote:
>>>>>
>>>>>
>>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>>
>
>