[prev in list] [next in list] [prev in thread] [next in thread]
List: openejb-development
Subject: Re: TomcatSecurityService
From: "Luis Fernando Planella Gonzalez" <lfpg.dev () gmail ! com>
Date: 2008-09-11 23:03:27
Message-ID: d12c1890809111603h488a2fd0of65ba6de378bec82 () mail ! gmail ! com
[Download RAW message or body]
Yes, it has fixed my problem.
The issue https://issues.apache.org/jira/browse/OPENEJB-901 can be marked as
fixed.
Thanks.
--
Luis Fernando Planella Gonzalez
2008/9/11 Dain Sundstrom <dain@iq80.com>
> I changed the code to use getPrincipal() and everything else still works.
> Can you verify that this resolves the issue you were having with the
> JAASRelam?
>
> -dain
>
>
> On Sep 10, 2008, at 1:13 PM, Dain Sundstrom wrote:
>
> I'll try changing the code to use request.getPrincipal() and see what
>> happens.
>>
>> -dain
>>
>> On Sep 9, 2008, at 8:04 AM, Luis Fernando Planella Gonzalez wrote:
>>
>> Just to point out why Dain's example works:
>>> The CustomRealm creates a GenericPrincipal without specifying the
>>> userPrincipal constructor argument. This maks the
>>> GenericPrincipal.getUserPrincipal() method return the GenericPrincipal
>>> itself.
>>> My problem is that JAASRealm always constructs a GenericPrincipal
>>> specifying
>>> the userPrincipal argument...
>>> So, I'll just emphatize what I said in my last post: invoking
>>> request.getPrincipal() instead of request.getUserPrincipal() in
>>> OpenEJBValve
>>> should fix it, but I don't know if there are other implications.
>>> --
>>> Luis Fernando Planella Gonzalez
>>>
>>>
>>>
>>> 2008/9/9 Luis Fernando Planella Gonzalez <lfpg.dev@gmail.com>
>>>
>>> I've tried the examples Dain attached on the jira issue and they do
>>>> work.
>>>> So, I've just decided to make my hands dirty and I've download both
>>>> tomcat
>>>> 6.0.18 and openejb 3.0 source code.
>>>>
>>>> To me, the key point seems the class
>>>> org.apache.catalina.realm.RealmBase,
>>>> on line 852, method hasRole(Principal, String).
>>>> It is only able to determine whether the given principal has the given
>>>> role
>>>> if the principal is an instance of
>>>> org.apache.catalina.realm.GenericPrincipal.
>>>>
>>>> My proposed solution: When OpenEJBValve invokes
>>>> TomcatSecurityService.enterWebApp() on line 41, request.getPrincipal()
>>>> should passed instead of request.getUserPrincipal(). I think it would
>>>> work,
>>>> because org.apache.catalina.connector.Request.getUserPrincipal() checks
>>>> if
>>>> principal is a GenericPrincipal, returning
>>>> GenericPrincipal.getUserPrincipal(), which leads to the problem I
>>>> related
>>>> before, of not having the GenericPrincipal itself.
>>>>
>>>> Is this an acceptable solution or it have other implications?
>>>>
>>>> --
>>>> Luis Fernando Planella Gonzalez
>>>>
>>>>
>>>>
>>>>
>>>> 2008/9/8 David Blevins <david.blevins@visi.com>
>>>>
>>>>
>>>> On Sep 8, 2008, at 6:13 AM, Luis F. Planella Gonzalez wrote:
>>>>>
>>>>> The tomcat realm is a JAASRealm with a login module that always
>>>>> validates
>>>>>
>>>>>> the user and grants the 'user' role.
>>>>>>
>>>>>> After a successful login, on the servlet, an EJBAccessException is
>>>>>> always
>>>>>> thrown, and the weird part is that the tomcat realm (as seen on
>>>>>> request.isUserInRole('user')) is using the login information correcly,
>>>>>> but
>>>>>> the EJB is not. That's why I've reported
>>>>>> http://issues.apache.org/jira/browse/OPENEJB-902 another issue where
>>>>>> I
>>>>>> said
>>>>>> that the TomcatSecurityService should delegate the isCallerInRole() to
>>>>>> realm.hasRole(), but, as
>>>>>> http://www.nabble.com/Re%3A-TomcatSecurityService-p19125345.htmlstated
>>>>>> previously by Dain , this is done under the hood by the JACC
>>>>>> implementation.
>>>>>>
>>>>>>
>>>>> Hi Luis,
>>>>>
>>>>> Looking at Dain's response it seems like the ejb isCallerInRole
>>>>> ultimate
>>>>> does delegate to user.getRealm().hasRole(user.getTomcatPrincipal(),
>>>>> logicalRole) to determine if a user has a role. Looking at your reply
>>>>> it
>>>>> wasn't clear to me if you tried the example Dain made. Where you able
>>>>> to
>>>>> get that to work? That would help us determine where the issue might
>>>>> be.
>>>>>
>>>>> -David
>>>>>
>>>>>
>>>>>
>>>>
>>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic