[jboss-user] [Security & JAAS/JBoss] - Re: Authentication in ejb container fails to use security do

clin1 do-not-reply at jboss.com
Mon Jun 15 13:48:00 EDT 2009 

Thanks for your responses.
We have tried using JBoss 5.1.0GA and ran into exactly the same problem.
We also tried using <security-domain>FileNet</security-domain> as jaikiran mentioned, and the result was the same.

We could ran Java client application using EJB transport without problems.
This problem only occurs when we use an application that uses Web Services transport to connect to our application engine, which involves in having the WSI listener propagating the security information to EJB's security domain for authentication.  Our WSI listener is implemented as a web servlet in JBoss web container which invokes FnClientLoginModule initially under the "FileNetP8Engine" application-policy, the authentication against LDAP is then performed in EJB container through the "FileNet" application-policy which is defined as the EJB security domain in jboss.xml.

Here is the excerpt of the login-config.xml:

<?xml version="1.0" encoding="UTF-8"?>

<application-policy name="FileNetP8Engine">
        
            <login-module code="com.filenet.api.authentication.jboss.login.FnClientLoginModule" flag="required">
                <module-option name="multi-threaded">true</module-option>
            </login-module>
        
</application-policy>
<application-policy name = "FileNet">
  
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
      <module-option name="java.naming.provider.url">ldap://ldaphost:389</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option name="bindDN">cn=CEAdmin,ou=FileNet,dc=ldaphost,dc=com</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">dc=ldaphost,dc=com</module-option>
      <module-option name="baseFilter">(cn={0})</module-option>
      <module-option name="rolesCtxDN">dc=ldaphost,dc=com</module-option>
      <module-option name="roleFilter">(uniqueMember={0})</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="uidAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
    </login-module>
  
</application-policy>


This mechanism has been working in JBoss 4.0.5 and 4.2.x.

We will try reproduce the problem on a sample application.

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4237730#4237730

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4237730

More information about the jboss-user mailing list