Return-Path: 
 <user-return-495-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-user-archive@www.apache.org
Received: (qmail 50326 invoked from network); 10 Jun 2005 04:33:24 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 10 Jun 2005 04:33:24 -0000
Received: (qmail 36763 invoked by uid 500); 10 Jun 2005 04:33:19 -0000
Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org
Received: (qmail 36742 invoked by uid 500); 10 Jun 2005 04:33:19 -0000
Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:user-help@geronimo.apache.org>
list-unsubscribe: <mailto:user-unsubscribe@geronimo.apache.org>
List-Post: <mailto:user@geronimo.apache.org>
Reply-To: user@geronimo.apache.org
List-Id: <user.geronimo.apache.org>
Delivered-To: mailing list user@geronimo.apache.org
Received: (qmail 36685 invoked by uid 99); 10 Jun 2005 04:33:17 -0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: domain of WFrag@yandex.ru designates
 213.180.200.37 as permitted sender)
Received: from tide.yandex.ru (HELO tide.yandex.ru) (213.180.200.37)
  by apache.org (qpsmtpd/0.28) with ESMTP; Thu, 09 Jun 2005 21:33:15 -0700
Received: from YAMAIL (tide.yandex.ru) by mail.yandex.ru
	id <S569113AbVFJEcx>; Fri, 10 Jun 2005 08:32:53 +0400
Date: Fri, 10 Jun 2005 08:32:53 +0400 (MSD)
From: "Ivan S. Dubrov" <WFrag@yandex.ru>
Sender: WFrag@yandex.ru
Message-Id: <42A917F5.000001.24250@tide.yandex.ru>
MIME-Version: 1.0
X-Mailer: Yamail [ http://yandex.ru ]
Errors-To: WFrag@yandex.ru
To: user@geronimo.apache.org
Subject: Problem with getCallerPrincipal().getName()
Reply-To: WFrag@yandex.ru
X-Source-Ip: 80.66.89.164
Content-Type: text/plain;
  charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Hello,

I wish to use J2EE security for both Web module and EJB module. So I configured realm, mapped principals to the security roles, develop appropriate J2EE deployment descriptors. Declarative role-based security works perfectly.

When it turns to the programmatic security I have problems determining logged in user name in the EJB module. In the Web module everything is OK, I can call request.getUserPrincipal().getName() and it return authorized user name (for example, "joe"). But when I try to get user name from the EJB with the EJBContext.getCallerPrincipal().getName(), I get the following string:

"MyRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:manager]"

I can only get user group from this string, "manager", but not the user name. So it seems to me that important piece of information, user identity, is lost while propagating security context from the Web module to the EJB module.

It looks to me like a design flaw.

Any comments on this? How can I overcome this problem? I do not want to pass username as a parameter to the EJB, since this is not secure (user calling EJB can pass somebody else name). Of course, in my case these calls can be performed only from the Web module, but anyway.

Ivan Dubrov