3

In my EJB 3 I try to test for the roles of the principal but it always returns false.

In my WebLogic 11g Console I defined under "MyDomain" -> "Security Realms" -> "myrealm" -> "Users and Groups" 3 users (user1 , user2 & user3) and 2 groups (role1 & role2); role1 has user1 & user3, role2 has user2 & user3.
My EJB has no further security defined (no @RolesAllowed, etc. or entries in DDs).

When I test in my EJB for the presence of roles with sessionContext.isCallerInRole(role); it always returns false. If I call sessionContext.getCallerPrincipal().getName(); I do get the correct user ID.

What am I doing wrong?

Koohoolinn
  • 1,427
  • 6
  • 20
  • 29
  • It might help to know which exact version of Weblogic 11g you have. I have recent, sharp, and unpleasant experience that EJB and Jax-Ws behavior and bugs are sharply different between the various editions of Weblogic labeled 10.3.0, 10.3.1, 10.3.3 and 10.3.4, all but the first labeled 11g. – mezmo Mar 11 '11 at 15:24
  • It's `WebLogic Server Version: 10.3.4.0` – Koohoolinn Mar 11 '11 at 15:28

2 Answers2

0

If your sessionContext is injected, specifying the authentication Type as Container in the @Resource annotation worked for me. E.g.:

@Resource(authenticationType=AuthenticationType.CONTAINER)
private SessionContext sessionCtx;
ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
BlueGeminis
  • 1
0

Have you declared your role using either @DeclareRoles or ? If I read the spec correctly section 17.2.5.3 seems to mandate that you have to declare any role names that you use when calling isCallerInRole() through one or the other mechanism.

Petri Pellinen
  • 526
  • 3
  • 7
  • You seem to be correct. The docs all tell to add `@DeclareRoles()` or specify them in the descriptor. But even when I add `@DeclareRoles({ "role1", " role2" })` it doesn't work. – Koohoolinn Mar 15 '11 at 13:15
  • Additionally, to make this work I had to change Security Model for the EAR to "CustomRoles". I did this by changing the security realm default setting but you could also do it in the deployer. Also, obviously I created a global role in admin console that has the same name as the role name referenced in the EJB and has a role condition that maps to the group that a user has to belong to in order to have the role. – Petri Pellinen Mar 18 '11 at 14:18