users@glassfish.java.net

Re: EAR does not propegate REALM to WAR AND Web Service Context has NULL principle.

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Tue, 13 Nov 2007 12:12:03 +0530

Hi Marco,

Marco Villalobos wrote:

> Here is the issue that I am not sure if is developer/administrator
> error, or a use case overlooked in Glassfish.
>
> I created a JDBC Realm within the application, named "jdbc-realm".
> I created an EAR.
> I created a WAR.
>
> Inside the ear sun-application.xml declares the security role
> mappings, and realm named "jdbc-realm", and
> application.xml declares web module.
>
> The WAR implements a web service using Username Authentication with
> Symmetric Keys.
>
> I create a web client and attempt to invoke the web service.
>
> I have verified the following:
>
> First, I can ONLY authenticate when using the application server's
> default realm. Hence, I have to tell the application server
> that my default realm is the "jbdc-realm" that I created. The EAR
> does not pick this up, even though it should.

See my reply to your posts :
http://forums.java.net/jive/thread.jspa?messageID=244775
and the reply to a similar post :

http://forums.java.net/jive/thread.jspa?messageID=243322

I agree that there is an issue here.

>
> Second, there is no way within WAR to declare the realm that is
> utilized by the Web Service implementation.
> The web.xml can declare a realm, but it only applies to FORMS or BASIC
> web application authentication, not web services.
>
That's correct this is another limitation.

> Third, when I use the application server's default realm, the
> WebServiceContext configured by @Resource injenction, does not
> propegate the Principle to the context, so I don't know the principle
> of the user making the request (which is absolutely important for
> programmatic security).

I have posted the current proprietary way of obtaining the principle in :
http://forums.java.net/jive/thread.jspa?messageID=244775

>
> I hope that this is all user/programmer/administrative error, but this
> experiment with a control and expirmental group suggest otherwise.
>
> I truly behave that the WebServiceContext should understand the
> Principle making the web service if it is using authentication, and that
> it should allow for the isUserInRole method as well.

Yes we are working towards improving this.

>
> Also, and EAR, and WAR should be able to declare a realm, and not
> require the application server default realm.

Understood. But i assume your comment here is specifically w.r.t
WebServices SOAP Message Security being used in the WAR/EAR is that
correct, because otherwise your statement is already true for GF.

Thanks.
kumar
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.