[jboss-user] [Security & JAAS/JBoss] - 3.2.0 to 4.0.5 causes failure when trying to access secure E
pcarrollnf
do-not-reply at jboss.com
Mon Jan 22 14:22:53 EST 2007
I upgraded from JBoss3.2.0 to 4.0.5. I am using FORM based authentication. I have a custom login module that entends DatabaseServerLoginModule. I am able to login to the web application correctly. All the correct roles are assigned to the user. However, when I access a secured method in one of my EJB's, the principal is null. Here is the error I am receiving:
java.rmi.AccessException: SecurityException; nested exception is: java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=IndexingManager, method=create, interface=HOME, requiredRoles=[INDEX], principalRoles=[ANONYMOUS, PARTNER]
It gives me the ANONYMOUS and PARTNER roles because these are the roles associated with the unauthenticatedIdentity.
Here is my login-config.xml:
<application-policy name = "myRealm">
| <authentication>
| <login-module code="com.pcarrollnf.appserver.jboss.security.CustomLoginModule" flag="required">
| <module-option name = "unauthenticatedIdentity">anonymous</module-option>
| <module-option name = "dsJndiName">java:/jdbc/myRealm</module-option>
| <module-option name = "principalsQuery">SELECT A.PASSWORD FROM USERS A WHERE A.IS_ENABLED = 1 AND A.USER_NAME = ? AND ( A.EXPIRATION_DATE IS NULL OR A.EXPIRATION_DATE >= ? )</module-option>
| <module-option name = "rolesQuery">SELECT DISTINCT A.USER_NAME, C.ROLE_NAME FROM USER_GROUP A, ROLE_GROUP B, ROLES C WHERE A.USER_NAME = ? AND A.GROUP_ID = B.GROUP_ID AND B.ROLE_ID = C.ROLE_ID</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
I tried adding:
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required"></login-module>
as the last login module in the myRealm policy but this did not work.
Here is a snippet from my web.xml
<login-config>
| <auth-method>FORM</auth-method>
| <realm-name>DefaultRealm</realm-name>
| <form-login-config>
| <form-login-page>/login.do</form-login-page>
| <form-error-page>/loginError.do</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-role>
| <role-name>ADMIN</role-name>
| </security-role>
| <security-role>
| <role-name>CONFIG</role-name>
| </security-role>
| <security-role>
| <role-name>INDEX</role-name>
| </security-role>
| <security-role>
| <role-name>PUBLISH</role-name>
| </security-role>
| <security-role>
| <role-name>USER</role-name>
| </security-role>
| <security-role>
| <role-name>PARTNER</role-name>
| </security-role>
| <security-role>
| <role-name>ANONYMOUS</role-name>
| </security-role>
Here is my ejb-jar.xml:
<ejb-jar>
| <enterprise-beans>
|
| <session>
| <ejb-name>IndexingManager</ejb-name>
| <home>com.pcarrollnf.indexing.api.IndexingManagerHome</home>
| <remote>com.pcarrollnf.indexing.api.IndexingManager</remote>
| <ejb-class>com.pcarrollnf.indexing.ejb.IndexingManagerBean</ejb-class>
| <session-type>Stateless</session-type>
| <transaction-type>Container</transaction-type>
| <ejb-local-ref>
| <ejb-ref-name>ejb/DocumentSchemaAttribute</ejb-ref-name>
| <ejb-ref-type>Entity</ejb-ref-type>
| <local-home>com.pcarrollnf.schema.ejb.DocumentLocalHome</local-home>
| <local>com.digitalpaper.pcarrollnf.ejb.DocumentLocal</local>
| <ejb-link>Document</ejb-link>
| </ejb-local-ref>
|
| <security-identity><use-caller-identity/></security-identity>
| </session>
|
| <assembly-descriptor>
| <security-role>
| <role-name>INDEX</role-name>
| </security-role>
|
| <method-permission>
| <role-name>INDEX</role-name>
| <method>
| <ejb-name>IndexingManager</ejb-name>
| <method-name>*</method-name>
| </method>
| </method-permission>
|
| <container-transaction>
| <method>
| <ejb-name>IndexingManager</ejb-name>
| <method-name>*</method-name>
| </method>
| <trans-attribute>Required</trans-attribute>
| </container-transaction>
| </assembly-descriptor>
| </ejb-jar>
Here is my jboss.xml:
<jboss>
| <security-domain>java:/jaas/myRealm</security-domain>
| <enterprise-beans>
| <session>
| <ejb-name>IndexingManager</ejb-name>
| <jndi-name>indexing/IndexingManager</jndi-name>
| <configuration-name>Standard Stateless SessionBean</configuration-name>
| </session>
| </enterprise-beans>
| <container-configurations>
| <container-configuration extends="Standard CMP 2.x EntityBean">
| <container-name>CMP 2.x and Cache</container-name>
| <commit-option>D</commit-option>
| <optiond-refresh-rate>300</optiond-refresh-rate>
| </container-configuration>
| </container-configurations>
| </jboss>
Any help would be appreciated. If you need me to post more information, please let me know. Thanks.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4004955#4004955
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4004955
More information about the jboss-user
mailing list