Hi,
I'm getting a bit stuck here and was hoping someone could point me in
the right direction. I'm using Glassfish
(glassfish-installer-v1_ur1-p01-b02.jar) and putting together an EAR to
prototype some things, and getting stuck on a RunAs/RolesAllowed
situation. As far as I can tell from all the doco I've read I'm doing
the right thing in terms of supplying mappings in all the right places
etc.
I have an EJB (SystemService) that is annotated with the
@RolesAllowed("fooadmin"), and a servlet (InitServlet) that is annotated
with the @RunAs("fooadmin") annotation. I'd like the init servlet to
perform any kind of system initialization of the EJB module and enforce
that only users in the 'fooadmin' role can call methods on system
service (it'd be nice if EJB modules had the same concept as a servlet
context listener, was anything added in ee 5 so they could listen for
deployment/start/stop events?).
I've also created a new Realm in Glassfish administration
('fooSecurity') and specified this realm in the sun-application.xml EAR
metadata file. I've updated the <domain>/conf/login.conf file
appropriately. As an aside, the web application holding the servlet is
also configured to use this realm, and works as expected when I login to
a secured area using a browser and basic authentication (i.e. settings
all pages /* to require the 'fooadmin' role and 'fooSecurity' realm).
As far as I can tell, I've put mappings pretty much everywhere they can
be, in various combinations, over the last hour or two to get the
servlet->EJB role working (also had to specify a principal in
sun-web.xml at one point, which had me a bit excited till it got
ignored, I used 'fooadm1' which was configured in the file realm's file,
and also had that user mapped to the 'fooadmin' role in sun-*.xml; tried
with- and without that in any case)*.
The role name's I've used map 1:1 with group names defined in the
(file-based) realm I've setup in GF. I've also tried specifying the
<run-as> element in web.xml on top of the RunAs annotation, and
generally tried everything I can think of. The end result is the
InitServlet is calling the SystemService with the 'admin' credentials
that I'm deploying the EAR as (deploying via NetBeans), so its ignoring
my @RunAs annotation on the servlet (I'd tried, and would prefer, the
annotation on a context-listener but thats another story).
Cheers
Joe
* I didn't bother specifying a 'Class Name' for authentication when
specifying a principal to use when trying this. This is already too much
mucking around to have a container resource like a servlet just use a
nominated role when talking to an EJB as it is.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.