Return-Path: 
 <dev-return-64345-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 88174 invoked from network); 17 Jun 2008 17:02:17 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 17 Jun 2008 17:02:17 -0000
Received: (qmail 74044 invoked by uid 500); 17 Jun 2008 17:02:16 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 73971 invoked by uid 500); 17 Jun 2008 17:02:16 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 73949 invoked by uid 99); 17 Jun 2008 17:02:16 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jun 2008 10:02:16 -0700
X-ASF-Spam-Status: No, hits=-1999.8 required=10.0
	tests=ALL_TRUSTED,WHOIS_MYPRIVREG
X-Spam-Check-By: apache.org
Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jun 2008 17:01:26 +0000
Received: from brutus (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id 3BBF2234C14D
	for <dev@geronimo.apache.org>; Tue, 17 Jun 2008 10:01:45 -0700 (PDT)
Message-ID: <1855024820.1213722105243.JavaMail.jira@brutus>
Date: Tue, 17 Jun 2008 10:01:45 -0700 (PDT)
From: "David Jencks (JIRA)" <jira@apache.org>
To: dev@geronimo.apache.org
Subject: [jira] Assigned: (GERONIMO-4119) request.isUserInRole("some-role")
 always return false after @EJB injection
In-Reply-To: <1646611227.1213690665011.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org


     [ https://issues.apache.org/jira/browse/GERONIMO-4119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Jencks reassigned GERONIMO-4119:
--------------------------------------

    Assignee: David Jencks

> request.isUserInRole("some-role") always return false after @EJB injection
> --------------------------------------------------------------------------
>
>                 Key: GERONIMO-4119
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4119
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: OpenEJB, Tomcat, web
>    Affects Versions: 2.0.2
>         Environment: Geronimo 2.0.2 running on Debian Etch with Java 1.5.0_14
>            Reporter: Stig Even Larsen
>            Assignee: David Jencks
>            Priority: Blocker
>
> Se mailing list discussion: http://www.nabble.com/request.isUserInRole%28%22some-role%22%29-always-return-false-after-%40EJB-injection-td17862975s134.html
> To recreate the malfunction you need to do the following:
> 1.Create an EAR with a local session bean and a war
> 2. Use the default console security realm (geronimo-admin) for protecting the {context-path}/protected/* area
> Create a new group named "partnergroup" and add the "system" user to it. Map the "partnergroup" to the partners role in deployment descriptor (geronimo-web.xml)
> 3. Create a simple but form protected(j_security_check) *jsp* page ex: {context-path}/protected/test.jsp.
> {code:title=/protected/test.jsp|borderStyle=solid}
> <%@page contentType="text/html" pageEncoding="UTF-8"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>    "http://www.w3.org/TR/html4/loose.dtd">
> <html>
>     <head>
>         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
>         <title>JSP Test</title>
>     </head>
>     <body>
>         <h2>Role test</h2>
>         <%if(request.isUserInRole("partners")){%>
>             user is partner :)
>         <%}else{%>
>             user is NOT partner :(
>         <%}%>
>     </body>
> </html>
> {code}
> 4. Create s simple Session Bean (EJB) with a simple local method:
> {code:title=TimeUtilsBean.java|borderStyle=solid}
> @Stateless
> public class TimeUtilsBean implements TimeUtilsLocal {
>     public String getString() {
>         return "Hello from Stateless EJB!";
>     }
>  
> }
> {code}
> 5. Create a simple but form protected(j_security_check) *Servlet* that uses the local EJB (ex: {context-path}/protected/info)
> {code:title=/protected/Info.java|borderStyle=solid}
> import java.io.*;
> import java.net.*;
> import javax.ejb.EJB;
> import javax.servlet.*;
> import javax.servlet.http.*;
> import javax.naming.*;
> import javax.annotation.security.*;
> import no.nimra.geronimo.test.TimeUtilsLocal;
> import no.nimra.nis.admin.ejb.*;
> @DeclareRoles({"administrators", "partners", "users"})
> public class Info extends HttpServlet {
>     @EJB
>     private TimeUtilsLocal timeUtilsBean;
>     
>     
>     protected void processRequest(HttpServletRequest request, HttpServletResponse response)
>             throws ServletException, IOException {
>         response.setContentType("text/html;charset=UTF-8");
>         PrintWriter out = response.getWriter();
>         out.println("SessionID: " + request.getRequestedSessionId());
>         System.out.println("Principal: " + request.getUserPrincipal().getName());
>         if (request.isUserInRole("partners")) {
>             System.out.println("User has partners-role...");
>             out.println("User has partners-role...");
>         } else {
>             System.out.println("User has NOT partners-role...");
>             out.println("User has NOT partners-role...");
>         }
>         try {
>             out.println("<html>");
>             out.println("<head>");
>             out.println("<title>Servlet Info</title>");
>             out.println("</head>");
>             out.println("<body>");
>             out.println("<h1> " + request.getContextPath() + "</h1>");
>             if (request.getUserPrincipal() != null) {
>                 out.println("Principal: " + request.getUserPrincipal().getName());
>             }
>             out.println(timeUtilsBean.getString());
>             out.println("</body>");
>             out.println("</html>");
>         } finally {
>             out.close();
>         }
>     }
>     protected void doGet(HttpServletRequest request, HttpServletResponse response)
>             throws ServletException, IOException {
>         processRequest(request, response);
>     }
>     protected void doPost(HttpServletRequest request, HttpServletResponse response)
>             throws ServletException, IOException {
>         processRequest(request, response);
>     }
> }
> {code}
> Description:
> Access http://{context-path}/protected/test.jsp. After successfull login you will se that your login has "partners" role. As expected.
> If you access the servlet at http://{context-path}/protected/info you will notice that you do not have the "partners" role.  
> If you remove the @EJB injection it behaves as expected.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.