On 02/04/10 13:37, Vincent Deschênes wrote:
>
> I have 2 users, let says ejbUser and webServiceUser.
>
> And 2 server, server1 (glassfish) and server2(custom C++, gSOAP).
>
>
>
> ejbUser has role ejb.
>
> webServiceUser has role webservice.
>
>
>
> ejbUser call a method of an ejb object on server1 which call a
> webservice that does not need authentication on server2.
>
> During this call, server2 call a web service on server1 and
> authenticate using webServiceUser.
>
>
>
> To call the web service on server1 webServiceUser need the
> webServiceUser role.
>
> ejbUser does not have the webservice role.
>
>
>
> The problem is :
>
>
>
> => The webServiceUser will be granted access to the ejb web service
> only if ejbUser his granted the webservice role.
>
>
>
> That make no sense for me.
>
>
>
> I am suspecting some kind of security protection for impersonation
> that would somehow think that our custom C++ server is calling the
> ejb as the ejbUser.
>
>
>
> Any idea ?
>
>
>
as you said, it sounds like your server 2, is somehow using the identity
of its caller (i.e. ejbUser) in its callback to the web service
in server 1. You might try specifying a runAs identity for the ejb (e.g.
otherUser) to see if that identity is being used when the web
service in server 2 acts as a client.
I think you will need to find folks who can describe the details of how
server 2 uses caller identities
in outgoing web service invocations.
Ron
> Thanks
>
>
>
> Vincent Deschenes
>
>
>
>
>
>
>
>
>