Ok, the problem is :
- I Authenticate with a "user" principal with a password which is mapped to group "group" and assigned to role "ROLE" on the source EJB. All work fine.
- Then I call a remote EJB which only accept role "ROLE".
- Only the "user" principal is transferred to remote EJB.. Not the mapped group "group".. So it fails !
The only solution (AFAIK) is to add <principal-name>user</principal-name> to remote EJB sun-ejb-jar :
<security-role-mapping>
<role-name>ROLE</role-name>
<principal-name>user</principal-name>
<group-name>group</group-name>
</security-role-mapping>
This solution is in fact absolutely UNUSABLE with a lot of users because you have to do the realm work in your .xml
Is there a way to xfer mapped groups with principal identity to remote EJB ?
Thanks ....
------ Help for those who use RunAs -----
In fact this solution can be used if you use a "@RunAs("ROLE")" on source EJB :
- You need (should ?) to add <principal><name>user</user></principal> in <ejb>...</ejb> in source EJB sun-ejb-jar.xml
- You need to add <principal-name>user</principal-name> in target EJB sun-ejb-jar.xml security-role-mapping tag to assign yourself the principal identity to correct role "ROLE".
[Message sent by forum member 'kabhal' (kabhal)]
http://forums.java.net/jive/thread.jspa?messageID=341603