Only if not in a war Le 10 mai 2013 23:56, "Louis" <loui...@comcast.net> a écrit :
> I found that the I'm getting a 403 because > TomEERealm.hasResourcePermission() > compares my logged in role (Administrator) with the only security > constraint > that it has within its context (which is 'default'). I would have assumed > that somehow the @DeclareRoles(value = {"Administrator"}) would have also > added a security constraint for 'Administrator'. But since only 'default' > exists, the method returns false for hasRole(). > > RealmBase.hasResourcePermission() (base class of TomEERealm) > - roles == [default] > - principle == GenericPrincipal[tomee(Administrator,)] > > > for (int j = 0; j < roles. length; j++) { > if (hasRole( null, principal, roles[j])) { > status = true ; > if ( log .isDebugEnabled() ) > log .debug( "Role found: " + roles[j]); > } > else if ( log.isDebugEnabled() ) > log .debug( "No role found: " + roles[j]); > } > > I then took a look to see how the security constraints are built. Below is > the only reference I see to adding security roles (and is where the > 'default' is coming from): > > TomcatWsRegistry.createNewContext(ClassLoader, String, String, String, > String) > SecurityConstraint sc = new SecurityConstraint(); > sc.addAuthRole( "*" ); > sc.addCollection(collection); > sc.setAuthConstraint( true ); > sc.setUserConstraint(transportGuarantee); > context.addConstraint(sc); > context. addSecurityRole( "default"); > > Could this have something to do with me deploying my webservice as a jar > (and not within a war - defining constraints within web.xml)? How else > would the WS's declared roles be added? > > > > -- > View this message in context: > http://openejb.979440.n4.nabble.com/webservice-security-basic-auth-tp4662743p4662820.html > Sent from the OpenEJB User mailing list archive at Nabble.com. >