Hi Dieter,
  as mentioned in thread http://community.jboss.org/thread/173494,  I see that Carlo/Darran have a test case in our testsuite to test this scenario.

Have a look at the provided links.

Regards,
Anil

On 10/14/2011 01:43 PM, Anil Saldhana wrote:
Dieter,
  we have to test this scenario. There may be an issue with the ejbContext.getCallerPrincipal() code.  But I would not term this issue as a *major* security issue.  It would be major if you got a principal when you are not supposed to.

Also I am unsure how your code can work because you need to prefix the form-login-page with "/".   AS7 throws error if the jsp is not starting with a "/"

------------------------------
<login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>/login.jsp</form-login-page>
         <form-error-page>/login-error.jsp</form-error-page>
      </form-login-config>
   </login-config>
-----------------------------

Since you are using the standard FORM authentication, you do not need the valve setting in jboss-web.xml.  That is used only when you write your own custom authenticator.
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel

Regards,
Anil

On 10/14/2011 12:54 PM, Dieter Tengelmann wrote:
Major security bug or configuration problem?
The principal is not propagated to ejb session context. Is this a known bug?
Or is anything wrong with my configuration? I've tested it with the nightly build of 2010-10-08

jboss-web.xml:
--------
    <security-domain flushOnSessionInvalidation="true">myDomain</security-domain>
    <valve>
        <class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>
    </valve>
---------

security-configuration in standalone.xml
----------
                <security-domain name="myDomain">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spiDatabaseServerLoginModule" flag="required">
                            <module-option name="debug" value="true" />
                            <module-option name="dsJndiName" value="java:/mydb" />
                            <module-option name="principalsQuery" value="SELECT passwd etc" />
                            <module-option name="rolesQuery" value="SELECT role etc." />
                            <module-option name="unauthenticatedIdentity" value="nobody" />                      
                        </login-module>
                    </authentication>
                </security-domain>

Ejb session bean
-------------
@Stateless(name="MyService")
@TransactionManagement(TransactionManagementType.CONTAINER)
@org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")
public class MyServiceBean {

 
@Resource SessionContext ctx;

---------------------------

jboss.xml
----------------------
<security-domain>myDomain</security-domain>
----------------------

web.xml
----------------------------
<login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>login.jsp</form-login-page>
         <form-error-page>login-error.jsp</form-error-page>
      </form-login-config>
   </login-config>
----------------------------


With this configuration ctx.getCallerPrincipal() delivers "anonymous" principal, and not the successful logged in one

If I remove security-domain from ejb session bean, I get a
javax.ejb.EJBException: java.lang.IllegalStateException: No principal available

Is there a workaraound, where exactly is the principal propagated to ejb. Can I use a customized class somewhere?


I've posted already in the forum, without success: http://community.jboss.org/thread/173494