glassfish_at_javadesktop.org wrote:
>> By any chance do you have any roleToSubjectMappings
>> in sun-web.xml ?.
>>
>
> No, I don't have any declared there.
>
>
>> From your desc it appears there isn't any. And is
>> there a chance that
>> he set-of roles in WAR and EJB-JAR are different ?.
>>
>
> I don't really understand this question. Why should they be the same?
>
> In my WAR, I only restrict access very rudimentary by sth. like this in the web.xml:
>
> <security-constraint>
> <display-name>Constraint1</display-name>
> <web-resource-collection>
> <web-resource-name>all</web-resource-name>
> <description>all</description>
> <url-pattern>/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description></description>
> <role-name>_Guest_</role-name>
> </auth-constraint>
> </security-constraint>
>
> While in my EJB methods, I might use the same role ("_Guest_") or others that are required. The servlet thus might get an exception when trying to execute a privileged EJB method, but that's fine (it might catch it and simply hide things that the user has no access to).
>
so whenever there can be an overlap of role names used within different
modules of an App then you should disambiguate them and specify the set
of all roles in the application deployment descriptor.
-----------------------------
According to the spec :
Synchronize security role-names across the application. Rename unique
role-names with redundant meaning to a common name. Rename rolenames
with common names but different meanings to unique names.
Descriptions of role-names that are used by many components of the
application can be included in the application-level deployment descriptor.
When presenting security role descriptions to the Deployer, the deployment
tool must use the descriptions in the J2EE application deployment descriptor
rather than the descriptions in any module deployment descriptors for
security
roles with the same name. However, for security roles that appear in a
module
deployment descriptor but do not appear in the application deployment
descriptor,
the deployment tool must use the description provided in the module
deployment descriptor.
------------------------
> Best regards, Marco :-)
> [Message sent by forum member 'nlmarco']
>
> http://forums.java.net/jive/thread.jspa?messageID=475428
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>