> I found this
> http://forum.java.sun.com/thread.jspa?threadID=5145779
>
> Finally, after enabling Default-Principal-To-Role-Mapping, and making group to role mappings both in sun-ebj-jar.xml and sun-application.xml it finally works.
>
> Why is it so anal?
That's the funny thing about computers -- they can't read your mind, heh
heh. From your output, it looks like the EJB is expecting the user to be
in role "Uzyszkodnik," and your principal is in a group of the same
name. Roles and groups are two different things: applications use roles,
whereas application servers use groups and principals. This allows you
to write an application that uses a role with whatever name you want and
then deploy it on a server that uses different names.
Otherwise, you would have to recompile apps to deploy them on different
server in some cases. Anyway, I did not see in your email that you have
a mapping in sun-application.xml that maps the group "Uzyszkodnik" to
the role "Uzyszkodnik." Since the names are the same, you can either
provide the mapping or leave it out and turn on default principal to
role mapping.
An example of a mapping, so you know:
<sun-application>
<security-role-mapping>
<role-name>customer</role-name>
<group-name>users</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>manager</role-name>
<principal-name>admin</principal-name>
</security-role-mapping>
</sun-application>
This would allow you to let a "manager" have access to some resources
and a "customer" have access to others. In the app server, using this
mapping, any user in the group "users" in the security realm will be
considered a "customer" in the app and the user "admin" will have access
to the "manager" resources.
Cheers,
Bobby