[jboss-user] [Security & JAAS/JBoss] - unauthorized-principal not applied
Goodbyte
do-not-reply at jboss.com
Wed May 27 09:02:26 EDT 2009
Hi...
I'm quite new to JBoss and JEE and tried to realize a very simple webshop to become familiar with both topics. The application is an EAR, containing a WAR and an EJB-part.
When I try to add security by adding the security-domain "java:jaas/webshop" to the WAR's jboss-web.xml and "webshop" to EJB's jboss.xml[1] after defining the application-policy "webshop" in conf/login-config.xml, I can't call any (unprotected! no method-permission in ejb-jar.xml) EJBs anymore. If I try, I get an SecurityException, because the principal is null.
I expected the principal for unauthenticated users to be equal to unauthenticated-principal in conf/standardjboss.xml, but it seems, this is never applied.
Can anybody explain me, how I can use this unauthenticated-principal or how to access my (unprotected) EJB's without discarding the security-domain?
Stefan (after hours of googling)
[1]: Using "java:jaas/webshop" in jboss.xml causes a ClassCastException because "JaasSecurityManager cannot be cast to SecurityDomainContext". In https://jira.jboss.org/jira/browse/JBAS-4022 Erica Kane suggested to leave the prefix out.
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233602#4233602
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4233602
More information about the jboss-user
mailing list