So in web apps, the developer provides a list of roles in web.xml,
and then we let you map any principals from any Geronimo security realms
to the J2EE roles using the <security> element in geronimo-web.xml (it's
quite possible to allow principals from multiple realms).
However, on top of that, there's a <security-realm-name> element
in geronimo-web.xml, which appears to be used by Jetty and not Tomcat.
This appears to be used to set the JettyJAASRealm on the
JettyWebAppContext (see JettyWebAppContext.java:257).
I'm assuming that when you log in to Jetty, it authenticates you
against the security realm named in the <security-realm-name> element, and
then authorizes you against the mappings performed in the <security>
element. So logically, it wouldn't help you to include principals from
any other realm in the <security> element, but we don't enforce that in
the schemas.
If that's true, then what realm does Tomcat authenticate against?
And what realm do EJBs authenticate against? Both Tomcat and EJBs appear
to only use the <security> element (Tomcat ignores the
<security-realm-name> element AFAICT and openejb-jar.xml doesn't have
one).
Thanks,
Aaron
