Hi,
I have a web applications running in a server instance that has some pages secure and some pages unsecure. It's referencing an ejb running in a seperate server instance with some methods secured by @RolesAllowed and some methods open to unsecured calls. When these are both deployed in the same server instance everything works fine, but I'm having difficulty figuring out the correct configuration for allowing corba access in this situation.
When I have the following configuration (note required=false):
<ior-security-config>
<as-context>
<auth-method>username_password</auth-method>
<realm>MegaJobIndex</realm>
<required>false</required>
</as-context>
<sas-context>
<caller-propagation>REQUIRED</caller-propagation>
</sas-context>
</ior-security-config>
the unsecured pages work fine, but when I try to access some secure pages I get a org.omg.CORBA.NO_PERMISSION error (even though the user is logged in using web based security constraint management).
When I change it to <required>true</required> then the unsecure pages stop working with the error "Cannot propagate username/password required by target when using run as identity" but the secure pages (that access the ejb after I've logged in) work fine.
This would seem to suggest that when using corba, I have to secure at the EJB level rather than the method level. Is that correct? I'm hoping there's another way to do this because our entire application uses method level @RolesAllowed declarations, it would be a massive hassle to have to rewrite every bean, especially since we're doing a production deployment right now :)
Any help anyone can give me as to what is a good ior-security-config for when you have both unsecure and secure web resource accessing the same beans that has some methods secured with @RolesAllowed and some method unsecured would be so very very much appreciated :)
Cheers
Adam
Stay connected to the people that matter most with a smarter inbox. Take a look
http://au.docs.yahoo.com/mail/smarterinbox