tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <>
Subject Re: Tomcat Servlet Filters (or Valves) and OpenEJB
Date Thu, 21 Jul 2011 09:17:06 GMT

On Jul 20, 2011, at 10:55 PM, rnieto wrote:

> Romain Manni-Bucau wrote:
>> Yep that what i said, webservices are deployed into a context created
>> called
>> "" so you can't modify it if it is not a global config. All configuration
>> managed are the one you can put into openejb-jar.xml.
>> I think jon suggessted to enhance OpenEJB.
>> @Jon: Am i wrong?
> This is just a clarification, as it was initially indicated that it would
> run filters. Should anyone else be reading this thread, they'd have a
> confirmation that indeed it doesn't do it. The explanation about it
> deploying on a different, non-configurable (outside OpenEJB) context was
> brought to light during the discussion.
> And my problem still persists, which Jon has indicated that this would need
> to be either:
> 1.) added to OpenEJB as an additional feature
> 2.) add it to the OpenEJB core and cxf library (which would be a guaranteed
> pain for someone who isn't a regular developer for OpenEJB).

We'll definitely need to fix this.  The web services should be added to the webapp itself.

> Too bad I'm restricted by time and probably can't wait for option 1, hope
> that I could move to another EE framework (but even that seems not doable
> with my timeframe).

I had a look at the SpnegoHttpFilter source and it seems the primary thing they're doing is
wrapping the HttpServletRequest with a SpnegoHttpServletRequest -- I'm guessing to alter the
behavior of the getUserPrincipal() method.

I did some digging into Tomcat on the various ways you can redirect and it looks like RequestDispatcher.forward()
will preserve the original http request and response.  So setting up the SpnegoHttpFilter
against a servlet (or another filter) that uses a RequestDispatcher.forward() to forward to
the webservice should do the trick.

That should get you the same service you would get in any other EE impl.

I think it could be better.  Wrapping the servlet request and overriding that one method isn't
going to get that totally unified "feel" as when you travel into EJB land which also has a
getCallerPrincipal method as well as method based security via @RolesAllowed, the "wrap the
servletrequest" trick isn't going to have any effect.

I hacked you up a little Spnego security service for OpenEJB based on our Tomcat security
service.  No reason to have OpenEJB setup to use the Tomcat security Realm APIs when Spnego
doesn't use them.  Better to have OpenEJB just use the work the SpnegoFilter did.  Not tested
but should work

Primary thing is to make sure the SpnegoSecurityServiceFilter is run after the SpnegoFilter.
 Then move this jar and the spnego jars into either the tomcat/lib/ dir or the tomcat/webapps/openejb/lib/

Hope this helps!


View raw message