2 Replies Latest reply on Apr 13, 2005 11:41 AM by Scott Stark

    jaas_howto: isUserInRole() doesn't work?

    Oleg Timoshenko Newbie

      Gents, in jaas_howto the first link on the main page is:

      1. Invoke PublicSession.echo() as java, echoman [PASS]

      it calls the servlet (EJBServlet), secured by the web container to the "Echo" userRole.
      The user "java" logs in and is granted the "Echo" role. Therefore, the result is displayed. But if I modify the code of this servlet adding this statement:
      out.println(request.isUserInRole("Echo"));
      it will output "false".

      I'm a little bit confused - the secured servlet is invoked, so the user is granted the role, but isUserInRole("Echo") states that he's not!

      I tried adding <security-role-ref> to tag in the web.xml, added <security-role> entries into jboss-web.xml, but nothing have changed.
      I've read all chapters related to security in admin guide but couldn't find what's wrong.

      Can anybody tell me, what's wrong?

        • 1. Re: jaas_howto: isUserInRole() doesn't work?
          Oleg Timoshenko Newbie

          OK, I'll refrase the question:

          the secured JSP page calls the secured EJB. Both are inside the same EAR and both are secured in the same security domain. Both the security constraints allow access only to users with "role1" role.

          JSP has this scriptlet:
          <% out.println(request.isUserInRole("role1"));%>

          right after it it calls EJB, that has this code in it's method:
          System.out.println(sessionContext.isCallerInRole("role1"));

          the result: user with role1 granted gets access to both JSP and EJB. JSP outputs FALSE, while EJB outputs TRUE.


          Both deployment descriptors have <security-role-ref> elements like this:
          <security-role-ref>
          <role-name>role1</role-name>
          <role-link>role1</role-link>
          </security-role-ref>

          and both web.xml and ejb-jar.xml have correct corresponding <security-role> element for "role1".

          Can anybody tell me, what's wrong with web container?

          By the way, if I deploy only war (with EJB call removed) onto standalone Tomcat, configured to use same security realm, the JSP works fine - it outputs TRUE!

          • 2. Re: jaas_howto: isUserInRole() doesn't work?
            Scott Stark Master

            I just updated the howto and tried in on 4.0.1sp1 and it works as expected:

            EJBServlet Accessed
            
            You have accessed this servlet as user: caller_java
            isUserInRole('Echo'): true
            The SecuredEJB.echo('Hello') returned: Hello
            


            Browse the release notes for fixes on caller role behavior.