users@glassfish.java.net

RE: Re: RE: Re: _at_RunAs doesn't forward security principal?

From: Markus Karg <karg_at_quipsy.de>
Date: Mon, 21 Jul 2008 10:27:00 +0200

Thank you for this tip. It works pretty well. :-)

But we do not understand what is going on. Because:

We already had all those entries, but in sun-application.xml we just had

<security-role-mapping>
  <role-name>User</role-name>
  <group-name>QUIPSY_User</group-name>
</security-role-mapping>

and the user "cde" was mapped to group QUIPSY_User in GlassFish's admin console (file realm).

So why do we now additionally need

  <principal-name>cde</principal-name>

???

I mean, in sun-ejb-jar.xml the principal is already given, and GlassFish knows the roles / groups already. So why do we have to add that principal again in the security-role-mapping?

Can anybody explain this?

Thanks
Markus

-----Original Message-----
From: glassfish_at_javadesktop.org [mailto:glassfish_at_javadesktop.org]
Sent: Donnerstag, 17. Juli 2008 13:59
To: users_at_glassfish.dev.java.net
Subject: Re: RE: Re: @RunAs doesn't forward security principal?

Just to clarify, you mentioned that you configured the following :


<sun-ejb-jar>
<ejb>
<ejb-name>ComplaintServiceBean</ejb-name>
<principal>
<name>cde</name>
</principal>
</ejb>
</enterprise-beans>
</sun-ejb-jar>

But still in server.log it says we're not authorized (but it prints the user 'cde' in the error message -- and that user is authorized since he is in the sole defined group that is mapped upon the sole defined role -- the role needed by the called SB!):

Since there is no real authentication happening so the assignment of groups in the Authorization Credentials will not happen (IMO). So please explicitly map principal cde to the role "User" inside your sun-ejb-jar.xml

<security-role-mapping>
<role-name>User</role-name>
<principal-name>cde</principal-name>
<group-name>cde</group-name>
</security-role-mapping>

And let me know if that worked.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=287278

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
For additional commands, e-mail: users-help_at_glassfish.dev.java.net

© Oracle | By contributing to this project, you are agreeing to the terms of use described here.