Hi Dieter,
as mentioned in thread http://community.jboss.org/thread/173494,
I see that Carlo/Darran have a test case in our testsuite to test
this scenario.
Have a look at the provided links.
Regards,
Anil
On 10/14/2011 01:43 PM, Anil Saldhana wrote:
Dieter,
we have to test this scenario. There may be an issue with the
ejbContext.getCallerPrincipal() code. But I would not term this
issue as a *major* security issue. It would be major if you got a
principal when you are not supposed to.
Also I am unsure how your code can work because you need to prefix
the form-login-page with "/". AS7 throws error if the jsp is not
starting with a "/"
------------------------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
-----------------------------
Since you are using the standard FORM authentication, you do not
need the valve setting in jboss-web.xml. That is used only when
you write your own custom authenticator.
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
Regards,
Anil
On 10/14/2011 12:54 PM, Dieter Tengelmann wrote:
Major security bug or configuration problem?
The principal is not propagated to ejb session context. Is this
a known bug?
Or is anything wrong with my configuration? I've tested it with
the nightly build of 2010-10-08
jboss-web.xml:
--------
<security-domain
flushOnSessionInvalidation="true">myDomain</security-domain>
<valve>
<class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>
</valve>
---------
security-configuration in standalone.xml
----------
<security-domain name="myDomain">
<authentication>
<login-module
code="org.jboss.security.auth.spiDatabaseServerLoginModule"
flag="required">
<module-option name="debug"
value="true" />
<module-option name="dsJndiName"
value="java:/mydb" />
<module-option
name="principalsQuery" value="SELECT passwd etc" />
<module-option name="rolesQuery"
value="SELECT role etc." />
<module-option
name="unauthenticatedIdentity" value="nobody"
/>
</login-module>
</authentication>
</security-domain>
Ejb session bean
-------------
@Stateless(name="MyService")
@TransactionManagement(TransactionManagementType.CONTAINER)
@org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")
public class MyServiceBean {
@Resource SessionContext ctx;
---------------------------
jboss.xml
----------------------
<security-domain>myDomain</security-domain>
----------------------
web.xml
----------------------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>login-error.jsp</form-error-page>
</form-login-config>
</login-config>
----------------------------
With this configuration ctx.getCallerPrincipal() delivers
"anonymous" principal, and not the successful logged in one
If I remove security-domain from ejb session bean, I get a
javax.ejb.EJBException: java.lang.IllegalStateException: No
principal available
Is there a workaraound, where exactly is the principal
propagated to ejb. Can I use a customized class somewhere?
I've posted already in the forum, without success: http://community.jboss.org/thread/173494