Markus Karg wrote:
>Thank you for this tip. It works pretty well. :-)
>
>But we do not understand what is going on. Because:
>
>We already had all those entries, but in sun-application.xml we just had
>
><security-role-mapping>
> <role-name>User</role-name>
> <group-name>QUIPSY_User</group-name>
></security-role-mapping>
>
>and the user "cde" was mapped to group QUIPSY_User in GlassFish's admin console (file realm).
>
>So why do we now additionally need
>
> <principal-name>cde</principal-name>
>
>
>???
>
>I mean, in sun-ejb-jar.xml the principal is already given, and GlassFish knows the roles / groups already. So why do we have to add that principal again in the security-role-mapping?
>
>Can anybody explain this?
>
>
>
So how does glassfish know which realm to look for ?. Where did you
configure file-realm or any other realm in your application ?. Also no
authentication really takes place in this scenario since a run-as
principal has been specified. Normally if there was a Realm
Authentication then the groups would also get assigned. The
authorization system then tries to see if the principal is in an allowed
role.
Thanks.
>Thanks
>Markus
>
>-----Original Message-----
>From: glassfish_at_javadesktop.org [mailto:glassfish_at_javadesktop.org]
>Sent: Donnerstag, 17. Juli 2008 13:59
>To: users_at_glassfish.dev.java.net
>Subject: Re: RE: Re: @RunAs doesn't forward security principal?
>
>Just to clarify, you mentioned that you configured the following :
>
>
><sun-ejb-jar>
><ejb>
><ejb-name>ComplaintServiceBean</ejb-name>
><principal>
><name>cde</name>
></principal>
></ejb>
></enterprise-beans>
></sun-ejb-jar>
>
>But still in server.log it says we're not authorized (but it prints the user 'cde' in the error message -- and that user is authorized since he is in the sole defined group that is mapped upon the sole defined role -- the role needed by the called SB!):
>
>Since there is no real authentication happening so the assignment of groups in the Authorization Credentials will not happen (IMO). So please explicitly map principal cde to the role "User" inside your sun-ejb-jar.xml
>
><security-role-mapping>
><role-name>User</role-name>
><principal-name>cde</principal-name>
><group-name>cde</group-name>
></security-role-mapping>
>
>And let me know if that worked.
>[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
>
>http://forums.java.net/jive/thread.jspa?messageID=287278
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>