I've got a situation where one glassfish instance (external front end) hosting a web deployment is talking to another glassfish hosting ejbs and the same web deployment (internal front end).
The internal web works just fine talking to its ejbs, but the external one can't call the ejbs, although the calls are making it through to the ejb tier, the backend is refusing them with "javax.ejb.AccessLocalException: Client not authorized for this invocation" (logged in the glassfish instance hosting the ejbs).
The username of the caller (rto) is being propagated through to the backend, since the backend logs the caller name:
(principals com.sun.enterprise.deployment.PrincipalImpl "rto")
But even though the roles available at the external front end are properly assigned, the backend doesn't seem to associate the caller with the roles it is supposed to have.
The glassfish instance has activate-default-principal-to-role-mapping="true" and the group<==>role mappings are also explicitly declared in the sun-ejb-jar.xml and sun-web.xml.
The backend says:
[#|2008-09-16T12:17:36.170+0930|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=29;_ThreadName=p: thread-pool-1; w: 18;|JACC Policy Provider: PolicyWrapper.implies, context(tlc-ejb/tlc-ejb)- permission((javax.security.jacc.EJBMethodPermission UserServiceBean getUser,Remote,)) domain that failed(ProtectionDomain (file:/tlc-ejb/tlc-ejb <no signer certificates>)
I haven't found much helpful documentation on all this.
How can I make glassfish look up the groups for the user using its appropriate security module and map them to roles?
[Message sent by forum member 'dcam' (dcam)]
http://forums.java.net/jive/thread.jspa?messageID=299513