users@glassfish.java.net

Re: _at_RunAs doesn't forward security principal?

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Wed, 09 Jul 2008 17:19:27 +0530

Markus Karg wrote:

>We need to run a servlet that is not secured in any way (public
>service).
>The servlet needs to access session bean X (local interface, same EAR)
>that also is not secured but marked as @RunAs("User")
>That session bean X needs to access another session bean (local
>interface, same EAR) Y which IS secured by @RolesAllowed("User").
>
>At runtime, when SB X calls SB Y, GlassFish says that we do not have
>access rights to execute the business method of SB Y.
>
>We do not understand that, because SB X is marked with @RunAs, so we
>expect propagation of access rights of this role.
>
>
It appears there is no mapping for the role "User" defined in your app
?. Can you add a run-as principal for SB X in sun-ejb-jar.xml and see.

Do you see a message of the following form during deployment :

"DL8019: The run-as principal User was assigned by the deployment system based on the specified role. Please consider defining an explicit run-as principal in the sun-specific deployment descriptor."

See :
http://java.sun.com/mailers/techtips/enterprise/2007/TechTips_March07.html#2

> You need to define the mapping for each role used in the application.
> For the role in |_at_RunAs|, if no principal is defined in
> |sun-ejb-jar.xml|, the application server uses a principal from the
> |security-role-mapping|. Here is an example that defines in the
> |sun-ejb-jar.xml| file the |run-as| principal for the |HelloEjb|
> enterprise bean:
>
> | <sun-ejb-jar>|
> | <enterprise-beans>|
> | <ejb>|
> | <ejb-name>HelloEjb</ejb-name>|
> | <principal>|
> | <name>aprincipal</name>|
> | </principal>|
> | </ejb>|
> | </enterprise-beans>|
> | </sun-ejb-jar> |


Thanks.

>GF: v2ur1
>JDK: 6
>
>We have no idea why that is not working.
>
>Any ideas how to solve that?
>
>(server.log is attached so you can see the full stack trace)
>
>Thanks!
>Markus
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.