<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Dieter,<br>
we have to test this scenario. There may be an issue with the
ejbContext.getCallerPrincipal() code. But I would not term this
issue as a *major* security issue. It would be major if you got a
principal when you are not supposed to.<br>
<br>
Also I am unsure how your code can work because you need to prefix
the form-login-page with "/". AS7 throws error if the jsp is not
starting with a "/"<br>
<br>
------------------------------<br>
<login-config><br>
<auth-method>FORM</auth-method><br>
<form-login-config><br>
<form-login-page>/login.jsp</form-login-page><br>
<form-error-page>/login-error.jsp</form-error-page><br>
</form-login-config><br>
</login-config><br>
-----------------------------<br>
<br>
Since you are using the standard FORM authentication, you do not
need the valve setting in jboss-web.xml. That is used only when you
write your own custom authenticator.<br>
<a class="moz-txt-link-freetext" href="http://community.jboss.org/wiki/JBossAS7SecurityDomainModel">http://community.jboss.org/wiki/JBossAS7SecurityDomainModel</a><br>
<br>
Regards,<br>
Anil<br>
<br>
On 10/14/2011 12:54 PM, Dieter Tengelmann wrote:
<blockquote
cite="mid:CANr6=Dt+Q6_Du6NjHbFiWJ3F1yUfcpV9SPuekW=7_UXSaeeZ6w@mail.gmail.com"
type="cite">Major security bug or configuration problem?<br>
The principal is not propagated to ejb session context. Is this a
known bug?<br>
Or is anything wrong with my configuration? I've tested it with
the nightly build of 2010-10-08<br>
<br>
jboss-web.xml:<br>
--------<br>
<security-domain
flushOnSessionInvalidation="true">myDomain</security-domain><br>
<valve><br>
<class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name><br>
</valve><br>
---------<br>
<br>
security-configuration in standalone.xml<br>
----------<br>
<security-domain name="myDomain"><br>
<authentication><br>
<login-module
code="org.jboss.security.auth.spiDatabaseServerLoginModule"
flag="required"><br>
<module-option name="debug"
value="true" /><br>
<module-option name="dsJndiName"
value="java:/mydb" /><br>
<module-option
name="principalsQuery" value="SELECT passwd etc" /><br>
<module-option name="rolesQuery"
value="SELECT role etc." /><br>
<module-option
name="unauthenticatedIdentity" value="nobody"
/> <br>
</login-module><br>
</authentication><br>
</security-domain><br>
<br>
Ejb session bean<br>
-------------<br>
@Stateless(name="MyService")<br>
@TransactionManagement(TransactionManagementType.CONTAINER)<br>
@org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")<br>
public class MyServiceBean {<br>
<br>
<br>
@Resource SessionContext ctx;<br>
<br>
---------------------------<br>
<br>
jboss.xml<br>
----------------------<br>
<security-domain>myDomain</security-domain><br>
----------------------<br>
<br>
web.xml<br>
----------------------------<br>
<login-config><br>
<auth-method>FORM</auth-method><br>
<form-login-config><br>
<form-login-page>login.jsp</form-login-page><br>
<form-error-page>login-error.jsp</form-error-page><br>
</form-login-config><br>
</login-config><br>
----------------------------<br>
<br>
<br>
With this configuration ctx.getCallerPrincipal() delivers
"anonymous" principal, and not the successful logged in one<br>
<br>
If I remove security-domain from ejb session bean, I get a<br>
javax.ejb.EJBException: java.lang.IllegalStateException: No
principal available<br>
<br>
Is there a workaraound, where exactly is the principal propagated
to ejb. Can I use a customized class somewhere?<br>
<br>
<br>
I've posted already in the forum, without success: <a
moz-do-not-send="true"
href="http://community.jboss.org/thread/173494">http://community.jboss.org/thread/173494</a><br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
</pre>
</blockquote>
</body>
</html>