Hi,
I desperately try to enable security on EJB3 session beans called from Seam components,
but I can't find how to do this. When I try to call EJB3 session bean, I have a
"Authentication failure" error. It's hard to find clear documentations about
this on the web, so I hope someone will help me here ... Note I just want to authenticate
for the moment, I don't want to use roles based authorization because it won't be
enough for my needs.
My app is an EAR with two jars :
- one with EJB3 session beans
- one with Seam components (EJB3, not pojos)
The problem appears when I call secured EJB3 session beans from a Seam component.
Here is what I did for the moment :
In my EJB3 session beans jar :
One example of a EJB3 session bean ...
META-INF/jboss.xml :
<session>
| <ejb-name>ServiceBaseEmployeBean</ejb-name>
| <security-domain>t4Seam</security-domain>
| </session>
META-INF/ejb-jar.xml :
<session>
| <description>
| <![CDATA[
|
| ]]>
| </description>
| <ejb-name>ServiceBaseEmployeBean</ejb-name>
| <remote>t4.core.employe.facade.ServiceBaseEmployeRemote</remote>
| <local>t4.core.employe.facade.ServiceBaseEmployeLocal</local>
| <ejb-class>t4.core.employe.facade.ServiceBaseEmployeBean</ejb-class>
| <session-type>Stateless</session-type>
| <transaction-type>Container</transaction-type>
| </session>
In the EAR :
META-INF/jboss-app.xml :
<?xml version="1.0" encoding="UTF-8"?>
| <!DOCTYPE jboss-app
| PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN"
| "http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
| <jboss-app>
| <module>
| <service>META-INF/t4Seam-login-service.xml</service>
| </module>
| </jboss-app>
META-INF/t4Seam-login-service.xml :
<?xml version="1.0" encoding="UTF-8"?>
| <server>
| <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
| name="t4Seam:service=DynamicLoginConfig">
| <attribute
name="AuthConfig">META-INF/t4Seam-login-config.xml</attribute>
| <depends optional-attribute-name="LoginConfigService">
| jboss.security:service=XMLLoginConfig
| </depends>
| <depends optional-attribute-name="SecurityManagerService">
| jboss.security:service=JaasSecurityManager
| </depends>
| </mbean>
| </server>
META-INF/t4Seam-login-config.xml :
<?xml version="1.0" encoding="UTF-8"?>
| <!DOCTYPE policy PUBLIC
| "-//JBoss//DTD JBOSS Security Config 3.0//EN"
| "http://www.jboss.org/j2ee/dtd/security_config.dtd">
| <policy>
| <application-policy name="t4Seam">
| <authentication>
| <login-module
code="org.jboss.seam.security.jaas.SeamLoginModule"
flag="required">
| </login-module>
| <login-module code="org.jboss.security.ClientLoginModule"
flag="required">
| <module-option
name="restore-login-identity">true</module-option>
| <module-option
name="multi-threaded">false</module-option>
| </login-module>
| </authentication>
| </application-policy>
| </policy>
In Seam components JAR :
META-INF/components.xml :
<security:identity
| authenticate-method="#{authenticator.authenticate}"
| jaas-config-name="t4Seam" />
|
My Seam authenticate method (there is no security on compteUtilisateurDao EJB) :
@javax.ejb.EJB
| private CompteUtilisateurDao compteUtilisateurDao;
|
| public boolean authenticate()
| throws java.lang.Exception
| {
| String username = Identity.instance().getUsername();
| String password = Identity.instance().getPassword();
| CompteUtilisateur utilisateur =
compteUtilisateurDao.findByUsernameAndPassword(username, password);
| return (utilisateur != null);
| }
And the code calling the EJB3 session bean from a Seam component :
@javax.ejb.EJB protected ServiceBaseEmployeLocal serviceEmploye;
|
| @javax.ejb.TransactionAttribute(javax.ejb.TransactionAttributeType.REQUIRES_NEW)
| @org.jboss.seam.annotations.Factory(value = "employes")
| @org.jboss.seam.annotations.Observer("employeUpdated")
| public void getEmployes() throws java.lang.Exception
| {
| this.employes = this.serviceEmploye.loadAllEmployes();
| }
What I saw in traces is that both SeamLoginModule and ClientLoginModule are called and run
OK. But it looks like the JAAS subject is not propagated to EJB layer, while it is (for
what I understood) the goal of ClientLoginModule.
Anyone has an idea what I do wrong ? Maybe I forgot some config files or misunderstood
something with JBoss Security ?
Thanks in advance,
Olivier
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4149149#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...