Authentication does not seem to be working in the Servlets and the EJBs. Here
is the situation:
web.xml:
<web-app>
....
<servlet>
<servlet-name>TSIS</servlet-name>
<display-name>TSIS</display-name>
<servlet-class>com.tsis.servlets.TSISServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TSIS</servlet-name>
<url-pattern>/TSIS/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Login</servlet-name>
<display-name>Login</display-name>
<servlet-class>com.tsis.servlets.auth.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>Basic<auth-method>
<realm-name>Brica<realm-name>
<form-login-config>
<form-login-page>com.tsis.servlets.auth.FormLogin</form-login-page>
<form-error-page></form-error-page>
</form-login-config>
</login-config>
</web-app>
Now, com.tsis.servlets.auth.Login is a servlet that implements Basic
Authentication. This part of basic Authentication works fine, BUT the problem
is that Orion does not stuff the username into the request.getUserPrincipal(),
which then, in turn, causes the EJB's EntityContext.getCallerPrincipal() to
return "guest" instead of returning who is actually calling the bean. I list
the spec below that explains what should happen. Please, pay attention to the
bold parts:
3.5.2 Caller Authorization
A J2EE product must enforce the access control rules specified at deployment
time (see Section 3.6, ?Deployment Requirements?) and more fully described in
the EJB and Servlet specifications. It must be possible to configure a J2EE
product so that the propagated caller identity is used in authorization
decisions. This is, for all calls to all enterprise beans from a single
application within a single J2EE product, the principal name returned by the
EJBContext method getCallerPrincipal must be the same as that returned by the
first enterprise bean in the call chain. If the first enterprise bean in the
call chain is called by a servlet or JSP page, the principal name must be the
same as that returned by the HttpServletRequest method getUserPrincipal in the
calling servlet or JSP page. (However, if the HttpServletRequest method
getUserPrincipal returns null, the principal used in calls to enterprise beans
is not specified by this specification, although it must still be possible to
configure enterprise beans to be callable by such components.) Note that this
does not require delegation of credentials, only identification of the caller.
This principal must be the principal used in authorization decisions for access
to all enterprise beans in the call chain. The requirements in this paragraph
apply only when a J2EE product has been configured to propagate caller identity.
J2EE products may also provide other deployment modes or configuration options
in which the original caller identity is not propagated to all components in the
call chain. For instance, some enterprise beans may execute with their own
identity and corresponding privileges, and that identity may be made available
to other enterprise beans that they call.
If Orion does not implement this, then how do I get the same effect in Orion
because I can not find any documentation on it?
Thanks!
