[jboss-user] [Security & JAAS/JBoss] - @RolesAllowed ignored?

jjonphl do-not-reply at jboss.com
Wed Sep 12 02:16:42 EDT 2007


I am using jboss 4.2.1.GA. I have the ff session bean


  | @RolesAllowed({"authenticated"})
  | @Stateless
  | @Remote({AccountRDAO.class})
  | public class AccountRDAOAction extends RDAOAction
  |     implements AccountRDAO, Serializable
  | {
  | 
  | ...
  | 
  | }
  | 

I defined the ff policy in login-config.xml:


  | <application-policy name="mypolicy">
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |              flag = "required">             
  |              <module-option name="unauthenticatedIdentity">anonymous</module-option>
  |              <module-option name = "dsJndiName">java:/itranscribe-ds</module-option>
  |              <module-option name = "principalsQuery">select password from logins where username=?</module-option>
  |              <module-option name = "rolesQuery">
  |                  select 'authenticated' as Role, 'Roles' as RoleGroup where length(?) > 0
  |              </module-option>
  |           </login-module>
  |                     
  |        </authentication>
  |     </application-policy>
  | 

It is driving me nuts why I can still access the methods of the supposedly protected bean. I tried annotating the methods and still the same. 

Thanks,
M. Manese

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4083279#4083279

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4083279



More information about the jboss-user mailing list