Argggh, desperate for help on this one if anyone has any ideas. I'm trying to work around it by creating an ejb that is just for unsecured operations (called UnsecuredOperationsBean) and setting required=false on it. But that's unravelling my entire application and turning the code into a mess so I don't want to continue down that route unless absolutely required.
This is the last thing stopping a system going into production that's been over a year in development, any help on how to configure ejbs to be accessed via corba that contain both secured and unsecured methods would be really really appreciated.
Thanks
Adam
--- On Sun, 15/3/09, Adam Jenkins <adamjenkinstmpredirect_at_yahoo.com.au> wrote:
From: Adam Jenkins <adamjenkinstmpredirect_at_yahoo.com.au>
Subject: ior-security-config help please
To: users_at_glassfish.dev.java.net
Received: Sunday, 15 March, 2009, 8:35 AM
Hi,
I have a web applications running in a server instance that has some pages secure and some pages unsecure. It's referencing an ejb running in a seperate server instance with some methods secured by @RolesAllowed and some methods open to unsecured calls. When these are both deployed in the same server instance everything works fine, but I'm having difficulty figuring out the correct configuration for allowing corba access in this situation.
When I have the following configuration (note required=false):
<ior-security-config>
<as-context>
<auth-method>username_password</auth-method>
<realm>MegaJobIndex</realm>
<required>false</required>
</as-context>
<sas-context>
<caller-propagation>REQUIRED</caller-propagation>
</sas-context>
</ior-security-config>
the unsecured pages work fine, but when I try to access some secure pages I get a org.omg.CORBA.NO_PERMISSION error (even though the user is logged in using web based security constraint management).
When I change it to <required>true</required> then the unsecure pages stop working with the error "Cannot propagate username/password required by target when using run as identity" but the secure pages (that access the ejb after I've logged in) work fine.
This would seem to suggest that when using corba, I have to secure at the EJB level rather than the method level. Is that correct? I'm hoping there's another way to do this because our entire application uses method level @RolesAllowed declarations, it would be a massive hassle to have to rewrite every bean, especially since we're doing a production deployment right now :)
Any help anyone can give me as to what is a good ior-security-config for when you have both unsecure and secure web resource accessing the same beans that has some methods secured with @RolesAllowed and some method unsecured would be so very very much appreciated :)
Cheers
Adam
Stay connected to the people that matter most with a smarter inbox. Take a look
http://au.docs.yahoo.com/mail/smarterinbox
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
For additional commands, e-mail: users-help_at_glassfish.dev.java.net