Re: [jboss-as7-dev] The principal is not propagated to ejb session context
Dieter,
we have to test this scenario. There may be an issue with the
ejbContext.getCallerPrincipal() code. But I would not term this issue
as a *major* security issue. It would be major if you got a principal
when you are not supposed to.
Also I am unsure how your code can work because you need to prefix the
form-login-page with "/". AS7 throws error if the jsp is not starting
with a "/"
------------------------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
-----------------------------
Since you are using the standard FORM authentication, you do not need
the valve setting in jboss-web.xml. That is used only when you write
your own custom authenticator.
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
Regards,
Anil
On 10/14/2011 12:54 PM, Dieter Tengelmann wrote:
Major security bug or configuration problem?
The principal is not propagated to ejb session context. Is this a
known bug?
Or is anything wrong with my configuration? I've tested it with the
nightly build of 2010-10-08
jboss-web.xml:
--------
<security-domain
flushOnSessionInvalidation="true">myDomain</security-domain>
<valve>
<class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>
</valve>
---------
security-configuration in standalone.xml
----------
<security-domain name="myDomain">
<authentication>
<login-module
code="org.jboss.security.auth.spiDatabaseServerLoginModule"
flag="required">
<module-option name="debug" value="true" />
<module-option name="dsJndiName" value="java:/mydb" />
<module-option name="principalsQuery" value="SELECT passwd etc"
/>
<module-option name="rolesQuery" value="SELECT role etc." />
<module-option name="unauthenticatedIdentity" value="nobody"
/>
</login-module>
</authentication>
</security-domain>
Ejb session bean
-------------
@Stateless(name="MyService")
@TransactionManagement(TransactionManagementType.CONTAINER)
@org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")
public class MyServiceBean {
@Resource SessionContext ctx;
---------------------------
jboss.xml
----------------------
<security-domain>myDomain</security-domain>
----------------------
web.xml
----------------------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>login-error.jsp</form-error-page>
</form-login-config>
</login-config>
----------------------------
With this configuration ctx.getCallerPrincipal() delivers "anonymous"
principal, and not the successful logged in one
If I remove security-domain from ejb session bean, I get a
javax.ejb.EJBException: java.lang.IllegalStateException: No principal
available
Is there a workaraound, where exactly is the principal propagated to
ejb. Can I use a customized class somewhere?
I've posted already in the forum, without success:
http://community.jboss.org/thread/173494
Attachments:
- attachment.html (text/html — 6.9 KB)