[jboss-user] [Security & JAAS/JBoss] - Simple JAAS authentication not working....
j0llyr0g3r
do-not-reply at jboss.com
Mon Jun 9 11:17:54 EDT 2008
Hey folks,
i am really becoming desperate with Jboss + JAAS.
I have a very simple RMI client which connects to a Stateless Session Bean running within a Jboss 4.2.
This scenario works perfectly well. Now i want to secure access to my EJB by allowing only authenticated clients to call the EJB's method.
Based on the official documentation: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
i started out with the most simple authentication possible using UsersRolesLoginModule as login module:
* Create the file users.properties in the ejb-jar subproject under the directory META-INF:
admin=secretadminpassword
| user=secretuserpassword
* Create the file roles.properties in the ejb-jar subproject under the directory META-INF:
| admin=adminRole
| user=userRole
* Add a ejb-jar.xml to the ejb-jar subproject under the directory META-INF:
| <ejb-jar>
| <assembly-descriptor>
| <security-role>
| <description>admin: only allowed users</description>
| <role-name>adminRole</role-name>
| </security-role>
| <security-role>
| <description>users: the rest</description>
| <role-name>userRole</role-name>
| </security-role>
| <method-permission>
| <role-name>admin</role-name>
| <method>
| <ejb-name>SendCommand</ejb-name>
| <method-name>*</method-name>
| </method>
| </method-permission>
| </assembly-descriptor>
| </ejb-jar>
* Add the file jboss.xml under the directory /$PROJECT-ROOT/META-INF
<jboss>
| <security-domain>java:/jaas/esf</security-domain>
| <enterprise-beans>
| <session>
| <ejb-name>SendCommand</ejb-name>
| <jndi-name>SendCommand</jndi-name>
| </session>
| </enterprise-beans>
| </jboss>
* Adjust the file login-config.xml under the directory $JBOSS_HOME/server/$PROFILE/conf/
<application-policy name = "esf">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" />
| </authentication>
| </application-policy>
|
So far, so good....
If i rebuild my application and inspect the EAR's content, i see all the expected files there, meaning jboss.xml, user.properties etc....
But: I can still connect with my RMI-client to my EJB even without giving credentials at all!
No error messages, no exceptions....
Any ideas what went wrong here?
Is there a way to check what Jboss sees as a security domain?
P.S.: Jaas may be great due to its modularity, but it is horrible, unbelievably horrible to configure for a Jaas-beginner. This is an utter catastrophy, how long do i have to study Jaas to get a simple authentication working?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4156738#4156738
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4156738
More information about the jboss-user
mailing list