[jira] Created: (GERONIMO-4119) request.isUserInRole("some-role") always return false after @EJB injection

Tue, 17 Jun 2008 01:18:46 -0700 

request.isUserInRole("some-role") always return false after @EJB injection
--------------------------------------------------------------------------

                 Key: GERONIMO-4119
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4119
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: AsyncHttpClient, OpenEJB, Tomcat, web
    Affects Versions: 2.0.2
         Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14
            Reporter: Stig Even Larsen
            Priority: Blocker


Se mailing list discussion: 
http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html

To recreate the malfunction you need to do the following:

1.Create an EAR with a local session bean and a war

2. Use the default console security realm (geronimo-admin) for protecting the 
{context-path}/protected/* area
Create a new group named "partnergroup" and add the "system" user to it. Map 
the "partnergroup" to the partners role in deployment descriptor 
(geronimo-web.xml)

3. Create a simple but form protected(j_security_check) *jsp* page ex: 
{context-path}/protected/test.jsp.
{code:title=/protected/test.jsp|borderStyle=solid}
<[EMAIL PROTECTED] contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd";>

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Test</title>
    </head>
    <body>
        <h2>Role test</h2>
        <%if(request.isUserInRole("partners")){%>
            user is partner :)
        <%}else{%>
            user is NOT partner :(
        <%}%>
    </body>
</html>

{code}

4. Create s simple Session Bean (EJB) with a simple local method:
{code:title=TimeUtilsBean.java|borderStyle=solid}
@Stateless
public class TimeUtilsBean implements TimeUtilsLocal {

    public String getString() {
        return "Hello from Stateless EJB!";
    }
 
}

{code}

5. Create a simple but form protected(j_security_check) *Servlet* that uses the 
local EJB (ex: {context-path}/protected/info)

{code:title=/protected/Info.java|borderStyle=solid}
import java.io.*;
import java.net.*;

import javax.ejb.EJB;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.naming.*;
import javax.annotation.security.*;

import no.nimra.geronimo.test.TimeUtilsLocal;
import no.nimra.nis.admin.ejb.*;

@DeclareRoles({"administrators", "partners", "users"})
public class Info extends HttpServlet {
    @EJB
    private TimeUtilsLocal timeUtilsBean;

    
    
    protected void processRequest(HttpServletRequest request, 
HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");
        PrintWriter out = response.getWriter();

        out.println("SessionID: " + request.getRequestedSessionId());
        System.out.println("Principal: " + 
request.getUserPrincipal().getName());

        if (request.isUserInRole("partners")) {
            System.out.println("User has partners-role...");
            out.println("User has partners-role...");
        } else {
            System.out.println("User has NOT partners-role...");
            out.println("User has NOT partners-role...");
        }

        try {
            out.println("<html>");
            out.println("<head>");
            out.println("<title>Servlet Info</title>");
            out.println("</head>");
            out.println("<body>");
            out.println("<h1> " + request.getContextPath() + "</h1>");
            if (request.getUserPrincipal() != null) {
                out.println("Principal: " + 
request.getUserPrincipal().getName());
            }
            out.println(timeUtilsBean.getString());
            out.println("</body>");
            out.println("</html>");


        } finally {
            out.close();
        }
    }

    protected void doGet(HttpServletRequest request, HttpServletResponse 
response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

    protected void doPost(HttpServletRequest request, HttpServletResponse 
response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

}
{code}


Description:

Access http://{context-path}/protected/test.jsp. After successfull login you 
will se that your login has "partners" role. As expected.
If you access the servlet at http://{context-path}/protected/info you will 
notice that you do not have the "partners" role.  
If you remove the @EJB injection it behaves as expected.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to