[jboss-user] [Security & JAAS/JBoss] - Problem accessing EJB unchecked method from a servlet (with

Plukh do-not-reply at jboss.com
Tue Jul 18 19:48:35 EDT 2006 

Hello, I'm stuck at the following problem. I have one EJB module and two web apps inside a single ear. Relevant parts of configuration files follow:

>From jboss.xml:

  | <security-domain>java:/jaas/db_store</security-domain>
  | 

>From ejb-jar.xml:

  |         <method-permission>
  |             <unchecked/>
  |             <method>
  |                 <ejb-name>ModerEJB</ejb-name>
  |                 <method-intf>Home</method-intf>
  |                 <method-name>create</method-name>
  |             </method>
  |         </method-permission>
  | 

>From jboss-web.xml #1:

  | <security-domain>java:/jaas/db_store</security-domain>
  | 

>From jboss-web.xml #2:

  | <security-domain>java:/jaas/other</security-domain>
  | 

>From login-config.xml:

  |     <application-policy name="db_store">
  |       <authentication>
  | 
  |         <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
  |           <module-option name="dsJndiName">
  |             DS/Standard
  |           </module-option>
  |           <module-option name="principalsQuery">
  |             SELECT usr_password FROM users WHERE usr_login = ?
  |           </module-option>
  |           <module-option name="rolesQuery">
  |             SELECT 'CommonUser', 'Roles' FROM users WHERE usr_login = ?
  |           </module-option>
  |           <module-option name="hashAlgorithm">SHA1</module-option>
  |           <module-option name="hashEncoding">hex</module-option>
  |           <module-option name="ignorePasswordCase">true</module-option>
  |           <module-option name="unauthenticatedIdentity">nobody</module-option>
  |         </login-module>
  |       </authentication>
  |     </application-policy>
  | 
  |     <application-policy name = "other">
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
  |              flag = "required">
  |               <module-option name="unauthenticatedIdentity">nobody</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 

The bean itself is constructed by a helper (BeanHelper), located inside the ejb module - don't know if it makes a difference.

Now, on to the problem. I have a servlet in web app #2, which tries to create a bean (by calling an unchecked create() method). Only authorised users have access to the servlet (through BASIC authorization, if it matters). When the call to create() is made, it fails with the following exception (parts skipped for clarity):


  | java.rmi.AccessException: SecurityException; nested exception is:
  |         javax.security.auth.login.FailedLoginException: No matching username found in Principals
  |         at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
  |         at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:136)
  | ...
  |         at ru.singlecity.ejb.BeanHelper.getModerBean(BeanHelper.java:216)
  | ...
  | Caused by: javax.security.auth.login.FailedLoginException: No matching username found in Principals
  |         at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:152)
  |         at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206)
  | ...
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211)
  |         at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:135)
  |         at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
  |         ... 47 more
  | 

So - what am I doing wrong? The principal is already set (by the web app) and access to the method of the bean is set to unchecked...  If the principal wasn't passed on to the EJB, it would've caused a different exception (see item #1 in the FAQ), but it hadn't. Any help would be greatly appreciated!

With best regards,
Victor Denisov.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958987#3958987

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958987

More information about the jboss-user mailing list