users@glassfish.java.net

Re: <realm> tag values in sun-application.xml

From: <glassfish_at_javadesktop.org>
Date: Fri, 19 Feb 2010 16:06:36 PST

<li>Have you configured the realm-name in sun-ejb-jar.xml as well?</li>

<p>According to the Deployment Guide entry for the sun-ejb-jar.xml deployment descriptor, there are two main nodes: <security-role-mapping> and <enterprise-beans>. The only reference to realm that I've seen is under the <as-context> tag, which is part of the a particular <ejb> tag. Are you suggesting that I pick off each and every EJB that I want to be protected, defining the identical realm tag in this location? If that is the case, then the reason I chose sun-application.xml was to cover all EJBs in order to prevent that repetitive entry. If there is some way to get that global EJB effect in the sun-ejb-jar.xml, please specify and I will try it.</p>

<li>If the realm name specified in not specified in sun-application.xml, it is obtained from sun-ejb-jar.xml.</li>

<p>But it is specified in the sun-application.xml, and I can see no evidence that it is being used, although of course something else could have gone wrong. As mentioned in my previous post, I placed a bogus entry in the <realm> tag. That means that I'm asking GlassFish to protect my EJBs with a non-existent realm. I would think that GlassFish would fail to deploy the ear file, since it can't comply with the request in my intentionally misconfigured configuration. But the deployment occurs apparently successfully. So, then I wonder, what is actually protecting the EJBs. Some default realm that I did not choose? Or perhaps nothing at all? That, in a nutshell is the problem, although I stand to be corrected. I believe deployment should fail in this case. On the other hand if no realm is specified then perhaps one could argue that a default will be used.</p>

<li>If the realm name is not specified in both the descriptors, it is defaulted to the file realm.</li>

<p>I'm not sure I agree it that should happen that way, and especially silently, unless no realm is specified at all in either place. The EJBs may not be protected adequately by the default, and the deployer would unaware of the problem, until a compromise is noticed. But that of course is just an opinion. But I don't mind using the sun-ejb-jar.xml with the proviso I made above, if you can explain how to do it.</p>

<li>Also, while accessing the EJB's from the standalone client, are you specifying the configured realmName ?</li>

<p>Yes. I am using the LoginContext and specifying the realmName, and EJBs are being accessed. I simply don't know for certain what authentication allowed it. The user does not have a password that is part of the default file realm, as you hinted above. Just in case this does turn out to be a remote client issue (standalone vs ACC), I am currently reconfiguring to test from the web tier, which is just another kind of remote client as far as the EJBs are concerned. If I get a different result in that setup, I will post it.</p>

<p>Joe</p>
[Message sent by forum member 'teknomad' (joe.isaac_at_tolven.org)]

http://forums.java.net/jive/thread.jspa?messageID=387695