[jboss-as7-dev] The principal is not propagated to ejb session context

Dieter Tengelmann dieter.tengelmann at googlemail.com
Fri Oct 14 13:54:39 EDT 2011 

Major security bug or configuration problem?
The principal is not propagated to ejb session context. Is this a known bug?
Or is anything wrong with my configuration? I've tested it with the nightly
build of 2010-10-08

jboss-web.xml:
--------
    <security-domain
flushOnSessionInvalidation="true">myDomain</security-domain>
    <valve>

<class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>
    </valve>
---------

security-configuration in standalone.xml
----------
                <security-domain name="myDomain">
                    <authentication>
                        <login-module
code="org.jboss.security.auth.spiDatabaseServerLoginModule" flag="required">
                            <module-option name="debug" value="true" />
                            <module-option name="dsJndiName"
value="java:/mydb" />
                            <module-option name="principalsQuery"
value="SELECT passwd etc" />
                            <module-option name="rolesQuery" value="SELECT
role etc." />
                            <module-option name="unauthenticatedIdentity"
value="nobody" />
                        </login-module>
                    </authentication>
                </security-domain>

Ejb session bean
-------------
@Stateless(name="MyService")
@TransactionManagement(TransactionManagementType.CONTAINER)
@org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")
public class MyServiceBean {


@Resource SessionContext ctx;

---------------------------

jboss.xml
----------------------
<security-domain>myDomain</security-domain>
----------------------

web.xml
----------------------------
<login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>login.jsp</form-login-page>
         <form-error-page>login-error.jsp</form-error-page>
      </form-login-config>
   </login-config>
----------------------------


With this configuration ctx.getCallerPrincipal() delivers "anonymous"
principal, and not the successful logged in one

If I remove security-domain from ejb session bean, I get a
javax.ejb.EJBException: java.lang.IllegalStateException: No principal
available

Is there a workaraound, where exactly is the principal propagated to ejb.
Can I use a customized class somewhere?


I've posted already in the forum, without success:
http://community.jboss.org/thread/173494
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-as7-dev/attachments/20111014/e89a0760/attachment.html

More information about the jboss-as7-dev mailing list