1 Reply Latest reply on Apr 23, 2003 12:57 PM by nparab

    Servlet run-as

    glum Newbie

      I have a big problem. I try to call secured EJB from an unautorized servlet. I thought that this is possible by assigning securiry role in web.xml run-as element. But when I make an EJB call servlet tries to authorize itself with "null" Principal through my custom login module. My assumption was that if a servlet runs under security role which is authorized to access an EJB, there is no need to authenticate itselves. I have read EJB specs, JBOSS book, J2EE specs, but nothing helps. ( I went through all this in last 3 weeks + XDoclet, Struts, Ant,... and I am completely overwhelmed ). My brain is just before collaps. This is my last chance!!

      If there is someone willing to help I will send the code.

      Thanks in advance.

        • 1. Re: Servlet run-as
          nparab Newbie

          Just posting a copy in this forum, in case you didn't read my reply in the other forum.



          I might have found a solution for you. Instead of using 'run-as role', you manually login to the ejb security layer from your servlet using a user-id and password which belong to that role.

          This article will clarify:

          You could use the ClientLoginModule (described in the article) from your servlet to log in to the ejb security layer. Since your servlet is unsecured, you cannot get the user-id and password from the HttpSession as described in the article. Instead, you could use a fixed user-id and password, probably passed as init-parameters to the servlet from web.xml. This user-id should have the role required for the ejb.

          Let me know if this works for you.