This content has been marked as final.
Show 2 replies
-
1. Re: servlet call EJB secured -> Authentication exception, pr
pedrosalazar Jul 5, 2004 10:25 AM (in response to pedrosalazar)Hi,
Apparently, the problem is not a failure of the role permission verification, but a problem of a null user authentication. I mean, I set the run-as role in my web.xml, but since I didn't defined any authentication in my web application, the principal was always null.
I imagine the workflow something like this:
1) User authentication
2) role permission
So, if the in step 1) there isn't any user, the role permission verification in 2) will always fail, probably because of this:java.security.Principal getCallerPrincipal() boolean isCallerInRole(String roleName)
I workaround this by setting a dummy user in login-config.xml for the "other" profile to avoid the null principal:<authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" > <module-option name = "unauthenticatedIdentity">nobody</module-option> </login-module> </authentication>
So, I would like to ask a new question:
-How can I set a Principal in my servlet code for the JAAS authentication in a programatic way?
If the Principal is null, then I set a dummy Principal, and using the "run-as" element in web.xml, I could solved the problem...
The advantage is avoiding a specific JBOSS configuration, even I'm developing for JBOSS.
Regards,
Pedro Salazar. -
2. Re: servlet call EJB secured -> Authentication exception, pr
starksm64 Jul 7, 2004 4:34 PM (in response to pedrosalazar)You can't. There is no portable spec method for establishing the anonymous caller identity.