1 Reply Latest reply on Apr 23, 2003 12:57 PM by nparab

    Servlet run-as

    glum Newbie

      I have a big problem. I try to call secured EJB from an unautorized servlet. I thought that this is possible by assigning securiry role in web.xml run-as element. But when I make an EJB call servlet tries to authorize itself with "null" Principal through my custom login module. My assumption was that if a servlet runs under security role which is authorized to access an EJB, there is no need to authenticate itselves. I have read EJB specs, JBOSS book, J2EE specs, but nothing helps. ( I went through all this in last 3 weeks + XDoclet, Struts, Ant,... and I am completely overwhelmed ). My brain is just before collaps. This is my last chance!!

      If there is someone willing to help I will send the code.

      Thanks in advance.

        • 1. Re: Servlet run-as
          nparab Newbie

          Just posting a copy in this forum, in case you didn't read my reply in the other forum.

          =====================================================

          glum,

          I might have found a solution for you. Instead of using 'run-as role', you manually login to the ejb security layer from your servlet using a user-id and password which belong to that role.

          This article will clarify:
          http://www.luminis.nl/publications/websecurity.html

          You could use the ClientLoginModule (described in the article) from your servlet to log in to the ejb security layer. Since your servlet is unsecured, you cannot get the user-id and password from the HttpSession as described in the article. Instead, you could use a fixed user-id and password, probably passed as init-parameters to the servlet from web.xml. This user-id should have the role required for the ejb.

          Let me know if this works for you.