David...

Thanks for the reply... Here are some more specifics. I am working with Geronimo 1.1.1 and attempting to add role-based security to DayTrader (with the help of Surya Duggirala). He has added the necessary security tags to the web.xml and ejb-jar.xml and I am simply trying to figure out the deployment plans for Geronimo.

Thus far I have done the following...

Added the security realm to the <web-app> portion of the deployment plan to secure a URL in the web archive.
<security-realm-name>daytrader-realm</security-realm-name>

I have also added the following to the <openejb-jar> portion of the plan to secure one of the session EJBs.

      <security>
        <default-principal realm-name="daytrader-realm">
          <principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>
        </default-principal>
        <role-mappings>
          <role role-name="grp1">
            <realm realm-name="daytrader-realm">
              <principal name="group1" class=" org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
            </realm>
          </role>          
        </role-mappings>
      </security>

When I access the secured URL, I am asked to provide my credentials as expected. So, that appears to be working correctly. However, I'm not really sure how to verify that my method level permissions on the secured Session bean are being respected.

I can access the session bean via a non-secured URL that bypasses the security configuration in the war. If the security configuration for my ejb was being used, I would expect some form of exception to be thrown when I try to access it via my non-secured URL (since I have not provided my credentials), but I do not. This leads me to believe that I'm missing something.

Any thoughts?

Thanks again...

Chris

On 5/14/07, David Jencks <david_jencks@yahoo.com > wrote:

On May 14, 2007, at 10:33 AM, Christopher Blythe wrote:

> Was wondering if there are any samples or tests for Geronimo that
> use role-based authentication for EJB methods?
>
> More specifically, I was wondering how to configure the role
> mappings in the Geronimo deployment plan. Most of the samples out
> there revolve around the war, but I have not found anything
> relating to the EJB jar.

The role>> permission mapping is specified in the spec dd or via
annotations.

The part in the geronimo plan is a principal<< role mapping which
works the same way for wars and ejb jars.

I don't know if there are easy to find examples.  If this doesn't
clear it up can you ask a more specific question?

thanks
david jencks

>
> Thanks...
>
> Chris
>
> --
> "I say never be complete, I say stop being perfect, I say let...
> lets evolve, let the chips fall where they may." - Tyler Durden




--
"I say never be complete, I say stop being perfect, I say let... lets evolve, let the chips fall where they may." - Tyler Durden