[ https://issues.apache.org/jira/browse/GERONIMO-4119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12605674#action_12605674 ]
David Jencks commented on GERONIMO-4119: ---------------------------------------- Fixed in trunk in rev 668765. I'll port to other branches after I see about a test case. BTW this specific problem of the injection causing the wrong ContextID is not likely to be a problem on jetty since there we create all the servlets up front before any requests are encountered. However checking a role-ref after calling an ejb would still see the problem. > request.isUserInRole("some-role") always return false after @EJB injection > -------------------------------------------------------------------------- > > Key: GERONIMO-4119 > URL: https://issues.apache.org/jira/browse/GERONIMO-4119 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: OpenEJB, Tomcat, web > Affects Versions: 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1 > Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14 > Reporter: Stig Even Larsen > Assignee: David Jencks > Priority: Blocker > Fix For: 2.0.x, 2.1.2, 2.1.x, 2.2 > > > Se mailing list discussion: > http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html > To recreate the malfunction you need to do the following: > 1.Create an EAR with a local session bean and a war > 2. Use the default console security realm (geronimo-admin) for protecting the > {context-path}/protected/* area > Create a new group named "partnergroup" and add the "system" user to it. Map > the "partnergroup" to the partners role in deployment descriptor > (geronimo-web.xml) > 3. Create a simple but form protected(j_security_check) *jsp* page ex: > {context-path}/protected/test.jsp. > {code:title=/protected/test.jsp|borderStyle=solid} > <[EMAIL PROTECTED] contentType="text/html" pageEncoding="UTF-8"%> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > "http://www.w3.org/TR/html4/loose.dtd"> > <html> > <head> > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> > <title>JSP Test</title> > </head> > <body> > <h2>Role test</h2> > <%if(request.isUserInRole("partners")){%> > user is partner :) > <%}else{%> > user is NOT partner :( > <%}%> > </body> > </html> > {code} > 4. Create s simple Session Bean (EJB) with a simple local method: > {code:title=TimeUtilsBean.java|borderStyle=solid} > @Stateless > public class TimeUtilsBean implements TimeUtilsLocal { > public String getString() { > return "Hello from Stateless EJB!"; > } > > } > {code} > 5. Create a simple but form protected(j_security_check) *Servlet* that uses > the local EJB (ex: {context-path}/protected/info) > {code:title=/protected/Info.java|borderStyle=solid} > import java.io.*; > import java.net.*; > import javax.ejb.EJB; > import javax.servlet.*; > import javax.servlet.http.*; > import javax.naming.*; > import javax.annotation.security.*; > import no.nimra.geronimo.test.TimeUtilsLocal; > import no.nimra.nis.admin.ejb.*; > @DeclareRoles({"administrators", "partners", "users"}) > public class Info extends HttpServlet { > @EJB > private TimeUtilsLocal timeUtilsBean; > > > protected void processRequest(HttpServletRequest request, > HttpServletResponse response) > throws ServletException, IOException { > response.setContentType("text/html;charset=UTF-8"); > PrintWriter out = response.getWriter(); > out.println("SessionID: " + request.getRequestedSessionId()); > System.out.println("Principal: " + > request.getUserPrincipal().getName()); > if (request.isUserInRole("partners")) { > System.out.println("User has partners-role..."); > out.println("User has partners-role..."); > } else { > System.out.println("User has NOT partners-role..."); > out.println("User has NOT partners-role..."); > } > try { > out.println("<html>"); > out.println("<head>"); > out.println("<title>Servlet Info</title>"); > out.println("</head>"); > out.println("<body>"); > out.println("<h1> " + request.getContextPath() + "</h1>"); > if (request.getUserPrincipal() != null) { > out.println("Principal: " + > request.getUserPrincipal().getName()); > } > out.println(timeUtilsBean.getString()); > out.println("</body>"); > out.println("</html>"); > } finally { > out.close(); > } > } > protected void doGet(HttpServletRequest request, HttpServletResponse > response) > throws ServletException, IOException { > processRequest(request, response); > } > protected void doPost(HttpServletRequest request, HttpServletResponse > response) > throws ServletException, IOException { > processRequest(request, response); > } > } > {code} > Description: > Access http://{context-path}/protected/test.jsp. After successfull login you > will se that your login has "partners" role. As expected. > If you access the servlet at http://{context-path}/protected/info you will > notice that you do not have the "partners" role. > If you remove the @EJB injection it behaves as expected. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.