geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan S. Dubrov" <>
Subject Problem with getCallerPrincipal().getName()
Date Fri, 10 Jun 2005 04:32:53 GMT

I wish to use J2EE security for both Web module and EJB module. So I configured realm, mapped
principals to the security roles, develop appropriate J2EE deployment descriptors. Declarative
role-based security works perfectly.

When it turns to the programmatic security I have problems determining logged in user name
in the EJB module. In the Web module everything is OK, I can call request.getUserPrincipal().getName()
and it return authorized user name (for example, "joe"). But when I try to get user name from
the EJB with the EJBContext.getCallerPrincipal().getName(), I get the following string:


I can only get user group from this string, "manager", but not the user name. So it seems
to me that important piece of information, user identity, is lost while propagating security
context from the Web module to the EJB module.

It looks to me like a design flaw.

Any comments on this? How can I overcome this problem? I do not want to pass username as a
parameter to the EJB, since this is not secure (user calling EJB can pass somebody else name).
Of course, in my case these calls can be performed only from the Web module, but anyway.

Ivan Dubrov

View raw message