request.isUserInRole("some-role") always return false after @EJB injection --------------------------------------------------------------------------
Key: GERONIMO-4119 URL: https://issues.apache.org/jira/browse/GERONIMO-4119 Project: Geronimo Issue Type: Bug Security Level: public (Regular issues) Components: AsyncHttpClient, OpenEJB, Tomcat, web Affects Versions: 2.0.2 Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14 Reporter: Stig Even Larsen Priority: Blocker Se mailing list discussion: http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html To recreate the malfunction you need to do the following: 1.Create an EAR with a local session bean and a war 2. Use the default console security realm (geronimo-admin) for protecting the {context-path}/protected/* area Create a new group named "partnergroup" and add the "system" user to it. Map the "partnergroup" to the partners role in deployment descriptor (geronimo-web.xml) 3. Create a simple but form protected(j_security_check) *jsp* page ex: {context-path}/protected/test.jsp. {code:title=/protected/test.jsp|borderStyle=solid} <[EMAIL PROTECTED] contentType="text/html" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>JSP Test</title> </head> <body> <h2>Role test</h2> <%if(request.isUserInRole("partners")){%> user is partner :) <%}else{%> user is NOT partner :( <%}%> </body> </html> {code} 4. Create s simple Session Bean (EJB) with a simple local method: {code:title=TimeUtilsBean.java|borderStyle=solid} @Stateless public class TimeUtilsBean implements TimeUtilsLocal { public String getString() { return "Hello from Stateless EJB!"; } } {code} 5. Create a simple but form protected(j_security_check) *Servlet* that uses the local EJB (ex: {context-path}/protected/info) {code:title=/protected/Info.java|borderStyle=solid} import java.io.*; import java.net.*; import javax.ejb.EJB; import javax.servlet.*; import javax.servlet.http.*; import javax.naming.*; import javax.annotation.security.*; import no.nimra.geronimo.test.TimeUtilsLocal; import no.nimra.nis.admin.ejb.*; @DeclareRoles({"administrators", "partners", "users"}) public class Info extends HttpServlet { @EJB private TimeUtilsLocal timeUtilsBean; protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); PrintWriter out = response.getWriter(); out.println("SessionID: " + request.getRequestedSessionId()); System.out.println("Principal: " + request.getUserPrincipal().getName()); if (request.isUserInRole("partners")) { System.out.println("User has partners-role..."); out.println("User has partners-role..."); } else { System.out.println("User has NOT partners-role..."); out.println("User has NOT partners-role..."); } try { out.println("<html>"); out.println("<head>"); out.println("<title>Servlet Info</title>"); out.println("</head>"); out.println("<body>"); out.println("<h1> " + request.getContextPath() + "</h1>"); if (request.getUserPrincipal() != null) { out.println("Principal: " + request.getUserPrincipal().getName()); } out.println(timeUtilsBean.getString()); out.println("</body>"); out.println("</html>"); } finally { out.close(); } } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } {code} Description: Access http://{context-path}/protected/test.jsp. After successfull login you will se that your login has "partners" role. As expected. If you access the servlet at http://{context-path}/protected/info you will notice that you do not have the "partners" role. If you remove the @EJB injection it behaves as expected. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.