1

I want to create a simple login module which authenticates users so they can, through a servlet using the weblogic client, access EJB's methods annotated with @RolesAllowed. As you probably noted, I have two seperate tiers - one with a webapp (Tomcat) and one containing business logic (WebLogic).

Generally speaking, I followed this JAAS tutorial (setting things accordingly).

According to the answer to this question, the principals should be propaged to the business tier (even having the tiers on separate machines?)

However, what I'm getting is an error page with following header: HTTP Status 500 - [EJB:010160]Security violation: User <anonymous> has insufficient permission to access EJB type=<ejb>

Also, I created corresponding roles in the WebLogic console.

Some tests from the servlet's GET method (without calling Bean's annotaed method):

request.getUserPrincipal().getName(): ADMIN
request.getParameter("role"): null
request.isUserInRole("admins"): true

(request is obtained from the argument @Context HttpServletRequest request)

Is there any additional thing to do to make it work? Or is it sufficient but there may be an error somewhere?

Let me also point I'm quite new in creating Java EE applications.

Help appreciated

Community
  • 1
  • 1
adasadasik
  • 11
  • 1

1 Answers1

0

The integration of security information between a servlet container and an EJB container is vendor specific. The question that you cited refers to remote calls between containers from the same vendor.

In your case, you have two different vendors - Apache Tomcat and Oracle WebLogic. Therefore, you are going to have more work to do.

You don't state which version of WebLogic that you're using, however the article Using JAAS Authentication in Java Clients describes the additional steps that you need to do in order to correctly propogate the security context from Tomcat to WebLogic 11g. You will likely be able to find similar information for other WebLogic versions.

Steve C
  • 18,876
  • 5
  • 34
  • 37