|
Replies:
2
-
Last Post:
Sep 17, 2008 6:20 PM
by: dcam
|
|
|
|
|
|
|
How does an EJB invocation from outside glassfish get assigned roles?
Posted:
Sep 16, 2008 12:46 AM
|
|
|
I've got a situation where one glassfish instance (external front end) hosting a web deployment is talking to another glassfish hosting ejbs and the same web deployment (internal front end).
The internal web works just fine talking to its ejbs, but the external one can't call the ejbs, although the calls are making it through to the ejb tier, the backend is refusing them with "javax.ejb.AccessLocalException: Client not authorized for this invocation" (logged in the glassfish instance hosting the ejbs).
The username of the caller (rto) is being propagated through to the backend, since the backend logs the caller name:
(principals com.sun.enterprise.deployment.PrincipalImpl "rto")
But even though the roles available at the external front end are properly assigned, the backend doesn't seem to associate the caller with the roles it is supposed to have.
The glassfish instance has activate-default-principal-to-role-mapping="true" and the grouprole mappings are also explicitly declared in the sun-ejb-jar.xml and sun-web.xml.
The backend says:
[#|2008-09-16T12:17:36.170+0930|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=29;_ThreadName=p: thread-pool-1; w: 18;|JACC Policy Provider: PolicyWrapper.implies, context(tlc-ejb/tlc-ejb)- permission((javax.security.jacc.EJBMethodPermission UserServiceBean getUser,Remote,)) domain that failed(ProtectionDomain (file:/tlc-ejb/tlc-ejb <no signer certificates>)
I haven't found much helpful documentation on all this.
How can I make glassfish look up the groups for the user using its appropriate security module and map them to roles?
|
|
|
|
|
|
|
Re: How does an EJB invocation from outside glassfish get assigned roles?
Posted:
Sep 16, 2008 11:04 AM
in response to: dcam
|
|
|
(as I think you have concluded) for the remote invocation, the web container includes an identity assertion in the rmi/iiop msg it sends to the ejb container. the identity assertion contains only the caller principal, it does not contain the caller's group principals. when the identity assertion arrives at the remote container, the caller's groups principals should be added to the security-context..but that is not happening. for a local web to ejb invocation, the security context is shared such that the groups are preserved across the network.
If you are able to include a caller based p2r mapping on the remote system, that would be one way to work-around the problem. You can see a related posting here
http://forums.java.net/jive/thread.jspa?messageID=285659
This is a known problem, and should be resolved approximately as described in the above issue. that is the realm of the receiving system should be consulted (during processing of the identity assertion) to add the appropriate groups to the security context.
There is an open Glassfish issue to fix this, see
https://glassfish.dev.java.net/issues/show_bug.cgi?id=3873
you may want to refer to it in any other posts on this problem.
I'll see if we can expedite its resolution.
thanks,
Ron
|
|
|
|
|
|
|
|
|
Re: How does an EJB invocation from outside glassfish get assigned roles?
Posted:
Sep 17, 2008 6:20 PM
in response to: monzillo
|
|
|
Thank you very much for your reply. It pointed me in the right direction.
I have created a patch that -seems- to solve this problem. I have attached it to the bug you link as above.
|
|
|
|
|
java.net RSS
