> My Servlet has a RunAs and it invokes an EJB on the
> Local Interface.
>
> @RunAs("internal")
> public class TestServlet extends HttpServlet {
> @EJB
> private InternalBeanLocal internalBeanBean;
> ...
> The Servlet uses BASIC Auth with a security
> constraint /*
> In sun-web.xml i specified the Default Principal for
> the servlet RunAs
> <servlet>
> <servlet-name>TestServlet</servlet-name>
> <principal-name>internalprincipal</principal-name>
> </servlet>
> JB
> ----------
> @Stateless
> @DeclareRoles("internal")
> public class InternalBeanBean implements
> InternalBeanLocal {
>
> @RolesAllowed("internal")
> public void businessMethod() {
> System.out.println("Hello....: Calling Business
> Method of
> nternal Bean");
> }
> }
>
> sun-ejb-jar.xml :
> ----------------
> <security-role-mapping>
> <role-name>internal</role-name>
> <principal-name>internalprincipal</principal-name>
> </security-role-mapping>
> aps internalprincipal to internal role.
>
> And so the Servlet is able to invoke the secure EJB
> via LocalInterface
> sing default principal.
Your sample is not the same. You used @RunAs("internal") in your servlet and you configured "internalprincipal" as principal that calls methods of ejb. It works for me also. I use RunAs to call methods of ejb from another one.
But what happens if you remove RunAs. Your calls will be anonymous then. I thought that server automatically provides Default Principal and Default Principal Password (server security configuration) when calls are anonymous. I checked it and it is true, but that principal cannot be checked against any application role. All @RolesAllowed block calls and isCallerInRole return false.
Maybe I misunderstand the purpose of Default Principal and Default Principal Password.
--
Regards,
Marcin Kwapisz
[Message sent by forum member 'mkwapisz' (mkwapisz)]
http://forums.java.net/jive/thread.jspa?messageID=249849