[jboss-user] [Security & JAAS/JBoss] - 3.2.0 to 4.0.5 causes failure when trying to access secure E

pcarrollnf do-not-reply at jboss.com
Mon Jan 22 14:22:53 EST 2007


I upgraded from JBoss3.2.0 to 4.0.5.  I am using FORM based authentication.  I have a custom login module that entends DatabaseServerLoginModule.  I am able to login to the web application correctly.  All the correct roles are assigned to the user.  However, when I access a secured method in one of my EJB's, the principal is null.  Here is the error I am receiving:

java.rmi.AccessException: SecurityException; nested exception is: java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=IndexingManager, method=create, interface=HOME, requiredRoles=[INDEX], principalRoles=[ANONYMOUS, PARTNER]

It gives me the ANONYMOUS and PARTNER roles because these are the roles associated with the unauthenticatedIdentity.

Here is my login-config.xml:

    <application-policy name = "myRealm">
  |         <authentication>
  |             <login-module code="com.pcarrollnf.appserver.jboss.security.CustomLoginModule" flag="required">
  |                 <module-option name = "unauthenticatedIdentity">anonymous</module-option>
  |                 <module-option name = "dsJndiName">java:/jdbc/myRealm</module-option>
  |                 <module-option name = "principalsQuery">SELECT A.PASSWORD FROM USERS A WHERE A.IS_ENABLED = 1 AND A.USER_NAME = ? AND ( A.EXPIRATION_DATE IS NULL OR A.EXPIRATION_DATE >= ? )</module-option>
  |                 <module-option name = "rolesQuery">SELECT DISTINCT A.USER_NAME, C.ROLE_NAME FROM USER_GROUP A, ROLE_GROUP B, ROLES C WHERE A.USER_NAME = ? AND A.GROUP_ID = B.GROUP_ID AND B.ROLE_ID = C.ROLE_ID</module-option>
  |             </login-module>
  |         </authentication>
  |     </application-policy>
  | 

I tried adding:
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required"></login-module>

as the last login module in the myRealm policy but this did not work.

Here is a snippet from my web.xml

    <login-config>
  |         <auth-method>FORM</auth-method>
  |         <realm-name>DefaultRealm</realm-name>
  |         <form-login-config>
  |             <form-login-page>/login.do</form-login-page>
  |             <form-error-page>/loginError.do</form-error-page>
  |         </form-login-config>
  |     </login-config>
  | 
  |     <security-role>
  |         <role-name>ADMIN</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>CONFIG</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>INDEX</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>PUBLISH</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>USER</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>PARTNER</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>ANONYMOUS</role-name>
  |     </security-role>

Here is my ejb-jar.xml:

<ejb-jar>
  |     <enterprise-beans>
  | 
  |         <session>
  |             <ejb-name>IndexingManager</ejb-name>
  |             <home>com.pcarrollnf.indexing.api.IndexingManagerHome</home>
  |             <remote>com.pcarrollnf.indexing.api.IndexingManager</remote>
  |             <ejb-class>com.pcarrollnf.indexing.ejb.IndexingManagerBean</ejb-class>
  |             <session-type>Stateless</session-type>
  |             <transaction-type>Container</transaction-type>
  |             <ejb-local-ref>
  |                 <ejb-ref-name>ejb/DocumentSchemaAttribute</ejb-ref-name>
  |                 <ejb-ref-type>Entity</ejb-ref-type>
  |                 <local-home>com.pcarrollnf.schema.ejb.DocumentLocalHome</local-home>
  |                 <local>com.digitalpaper.pcarrollnf.ejb.DocumentLocal</local>
  |                 <ejb-link>Document</ejb-link>
  |             </ejb-local-ref>
  |             
  |             <security-identity><use-caller-identity/></security-identity>
  |         </session>
  | 
  |     <assembly-descriptor>
  |         <security-role>
  |             <role-name>INDEX</role-name>
  |         </security-role>
  | 
  |         <method-permission>
  |             <role-name>INDEX</role-name>
  |             <method>
  |                 <ejb-name>IndexingManager</ejb-name>
  |                 <method-name>*</method-name>
  |             </method>
  |         </method-permission>
  | 
  |         <container-transaction>
  |             <method>
  |                 <ejb-name>IndexingManager</ejb-name>
  |                 <method-name>*</method-name>
  |             </method>
  |             <trans-attribute>Required</trans-attribute>
  |         </container-transaction>
  |     </assembly-descriptor>
  | </ejb-jar>

Here is my jboss.xml:

<jboss>
  |     <security-domain>java:/jaas/myRealm</security-domain>
  |     <enterprise-beans>
  |         <session>
  |             <ejb-name>IndexingManager</ejb-name>
  |             <jndi-name>indexing/IndexingManager</jndi-name>
  |             <configuration-name>Standard Stateless SessionBean</configuration-name>
  |         </session>
  |     </enterprise-beans>
  |     <container-configurations>
  |         <container-configuration extends="Standard CMP 2.x EntityBean">
  |             <container-name>CMP 2.x and Cache</container-name>
  |             <commit-option>D</commit-option>
  |             <optiond-refresh-rate>300</optiond-refresh-rate>
  |         </container-configuration>
  |     </container-configurations>
  | </jboss>

Any help would be appreciated.  If you need me to post more information, please let me know.  Thanks.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4004955#4004955

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4004955



More information about the jboss-user mailing list