Is this a FAQ, or a silly question?
After debugging the jboss code, i found that the reason why the servlet is able to invoke the method on bean is because, somehow it is able to get the right role, which is required by the bean.
I put a breakpoint in the OILServerILService at the following line:
case OILConstants.AUTHENTICATE: result = server.authenticate((String)in.readObject(), (String)in.readObject()); break;
Also, i placed a breakpoint in SecurityManager class:
public String authenticate(String user, String password) throws JMSException
The value that gets passed on to the method is the user name and password(in my case "admin","adminPassword"). The role corresponding to "admin" has the privilege to invoke the method on bean. Hence i am able to access the bean.
But, my question still remains as to how and where is this username and password obtained, to be passed on to the SecurityManager, since i havent mentioned any of these as parameters to the startup servlet.
Can anyone please answer this. I have been trying to figure this out for the past few days.
And here's an extract from the web.xml file:
<servlet> <servlet-name>AppStartupServlet</servlet-name> <servlet-class>com.app.servlet.StartupServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <security-constraint> <web-resource-collection> <web-resource-name>My app</web-resource-name> <url-pattern>/jsp/*</url-pattern> <url-pattern>*.do</url-pattern> <url-pattern>*.jsp</url-pattern> <url-pattern>/servlet/*</url-pattern> <url-pattern>/servlet/DisplayChart</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>dev</role-name> <role-name>admin</role-name> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss HTTP Invoker</realm-name> </login-config> <security-role> <role-name>dev</role-name> </security-role> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>tapuser</role-name> </security-role>