users@glassfish.java.net

EAR does not propegate REALM to WAR AND Web Service Context has NULL principle.

From: Marco Villalobos <mvillalobos_at_fox.com>
Date: Wed, 7 Nov 2007 17:53:29 -0800

Here is the issue that I am not sure if is developer/administrator
error, or a use case overlooked in Glassfish.
 
I created a JDBC Realm within the application, named "jdbc-realm".
I created an EAR.
I created a WAR.
 
Inside the ear sun-application.xml declares the security role mappings,
and realm named "jdbc-realm", and
application.xml declares web module.
 
The WAR implements a web service using Username Authentication with
Symmetric Keys.
 
I create a web client and attempt to invoke the web service.
 
I have verified the following:
 
First, I can ONLY authenticate when using the application server's
default realm. Hence, I have to tell the application server
that my default realm is the "jbdc-realm" that I created. The EAR does
not pick this up, even though it should.
 
Second, there is no way within WAR to declare the realm that is utilized
by the Web Service implementation.
The web.xml can declare a realm, but it only applies to FORMS or BASIC
web application authentication, not web services.
 
Third, when I use the application server's default realm, the
WebServiceContext configured by @Resource injenction, does not
propegate the Principle to the context, so I don't know the principle of
the user making the request (which is absolutely important for
programmatic security).
 
I hope that this is all user/programmer/administrative error, but this
experiment with a control and expirmental group suggest otherwise.
 
I truly behave that the WebServiceContext should understand the
Principle making the web service if it is using authentication, and that
it should allow for the isUserInRole method as well.
 
Also, and EAR, and WAR should be able to declare a realm, and not
require the application server default realm.