[jboss-user] [EJB 3.0] - @SecurityDomain with custom login module fails with EJB3

Wolfgang Knauf do-not-reply at jboss.com
Tue Oct 10 15:51:55 EDT 2006 

Hi everybody,

I ran into a problem with an EJB using a custom security domain.

My sample:
-I created a custom login module (subclass of org.jboss.security.auth.spi.UsernamePasswordLoginModule).
-"login-config.xml" at server\default\conf contains this application-policy:
<application-policy name = "knaufsecurity">
       
          <login-module code = "de.fhw.swtvertiefung.knauf.security.loginmodule.KundeAdministratorLoginModule"
             flag = "required">
          </login-module>
       
    </application-policy>

In a EJB 2.1 environment I could secure my bean with this entry in jboss.xml in the EJB jar:
 <security-domain>java:/jaas/knaufsecurity</security-domain> 

For my EJB3 bean I added this annotation (stateless session bean):
@org.jboss.annotation.security.SecurityDomain(value="java:/jaas/knaufsecurity")

My web project is secured also, by declaring the security domain in jboss-web.xml, and this works !

But for the ejb project: if I try to access a method with an annotation "@RolesAllowed", this exception is logged:

21:12:50,140 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
	at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
	at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:124)
	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67)
	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:131)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:263)
	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:58)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:102)
	at $Proxy96.forAdminOnly(Unknown Source)
....


So this pointed me to a workaround: I modified "login-config.xml" and replaced the login-module declaration in the "other" policy.
<application-policy name = "other">
       
           <login-module code = "de.fhw.swtvertiefung.knauf.security.loginmodule.KundeAdministratorLoginModule"
             flag = "required">
          </login-module>
       
    </application-policy>

Now it works, but it seems either I did something wrong in declaring the EJB security domain, or there is a bug in the implementation.

Could someone clarify this ?

Thanks

Wolfgang Knauf

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977356#3977356

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3977356

More information about the jboss-user mailing list