A bit more information:
I've narrowed the error down to piece of code in com.sun.enterprise.iiop.security.SecurityManagerSelector in the method propagateIdentity. It's checking to see if the target requires EstablishTrustInClient.value.
My guess (not knowing the code) is that somehow I've set my ejb container up to require SSL authentication (or some other authentication) to access the container. The methods I'm using when I'm not logged in don't require any particular security, they're not doing anything fantastic. I just used the instance that's hosting the EJBs with the default settings after I created the new instance and assigned it to a node agent in glassfish. So it seems (fingers crossed) that this may just be a configuration problem with my EJB server instance. Can anyone suggest where I might look in the admin console to investigate the configuration that eventually ends up setting that the target requires EstablishTrustInClient.value (code snipped below)?
Cheers
Adam
private SecurityContext propagateIdentity(boolean clientAuth,
ComponentInvocation ci)
throws InvalidIdentityTokenException, InvalidMechanismException,SecurityMechanismException {
......
if(isSet(asContext.target_requires, EstablishTrustInClient.value)) {
ctx = getUsernameAndPassword(ci);
if (ctx.authcls == null){ // run as mode cannot send password
String errmsg =
localStrings.getLocalString("securitymechansimselector.runas_cannot_propagate_username_password",
"Cannot propagate username/password required by target when using run as identity");
_logger.log(Level.SEVERE,"iiop.runas_error",errmsg);
throw new SecurityMechanismException (errmsg);
}
}
--- On Sat, 14/3/09, Adam Jenkins <adamjenkinstmpredirect_at_yahoo.com.au> wrote:
> From: Adam Jenkins <adamjenkinstmpredirect_at_yahoo.com.au>
> Subject: Re: Cannot propagate username/password required by target when using run as identity
> To: users_at_glassfish.dev.java.net
> Received: Saturday, 14 March, 2009, 4:47 PM
> A bit more information:
>
> This is only when I'm accessing unsecured web resources
> (those without a security constraint) when I'm not
> logged in.
>
> Once I log in, everything works. If I log out, again,
> can't access anything on the site. The resources
> I'm attempting to access do not require authentication
> and are not accessing any EJB methods that require
> authentication. But it seems that the EJB container is
> still checking to see if there's a principal before it
> will inject the remote reference (even though there are many
> methods on the bean that have no @RolesAllowed declarations
> on them).
>
> This is that last thing holding up production of a system
> that's been under development for the last year :) Any
> help would really really be appreciated.
>
>
> --- On Sat, 14/3/09, Adam Jenkins
> <adamjenkinstmpredirect_at_yahoo.com.au> wrote:
>
> > From: Adam Jenkins
> <adamjenkinstmpredirect_at_yahoo.com.au>
> > Subject: Cannot propagate username/password required
> by target when using run as identity
> > To: users_at_glassfish.dev.java.net
> > Received: Saturday, 14 March, 2009, 12:48 PM
> > Hi All,
> >
> > I'm moving a developed application to a production
> > environment. To try something different, we have two
> server
> > instances set up, one for the ejb part of the app, one
> for
> > the webapp. We have a custom jaas realm configured
> which
> > they both have access to.
> >
> > When we deploy locally with everything on the same
> server
> > there are no problems, however when we deploy to
> production
> > and try to access the website, we get the following
> error:
> >
> >
> com.sun.enterprise.iiop.security.SecurityMechanismException:
> > Cannot propagate username/password required by target
> when
> > using run as identity
> >
> > Interestingly enough, at this stage we're not
> actually
> > logged into the application, and the while the ejb
> > that's being injected into the jsf managed bean
> does
> > have some secure methods (declared with
> > @RolesAllowed("...")) none of these are
> being
> > accessed by the managed bean being declared. We do
> not use
> > @RunAs anywhere in our application.
> >
> > My ejbs are declared in my sun-web.xml as:
> >
> > <ejb-ref>
> >
> >
> <ejb-ref-name>IndexingRemote</ejb-ref-name>
> >
> >
> <jndi-name>corbaname:iiop:localhost:33701#ejb/IndexingBean</jndi-name>
> > </ejb-ref>
> >
> > Which is the correct port...interestingly, when both
> the
> > web application and the ejb application are in the
> same
> > server instance (even with the declarations using
> corbaname
> > as above) everything works fine, but when I put them
> in
> > seperate instances I get the error above.
> >
> > Can anyone shed some light on this error, I can't
> find
> > anything online other than a bunch of 'TBD'
> notes on
> > the wiki.
> >
> > Also, is there anyway to specify to use jrmp instead
> of
> > iiop (is there any advantages to iiop rather than
> jrmp?)
> >
> > Thanks
> > Adam
> >
> >
> >
> >
> > Stay connected to the people that matter most
> with a
> > smarter inbox. Take a look
> > http://au.docs.yahoo.com/mail/smarterinbox
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > users-unsubscribe_at_glassfish.dev.java.net
> > For additional commands, e-mail:
> > users-help_at_glassfish.dev.java.net
>
>
> Stay connected to the people that matter most with a
> smarter inbox. Take a look
> http://au.docs.yahoo.com/mail/smarterinbox
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail:
> users-help@glassfish.dev.java.net
Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox