[jboss-as7-dev] The principal is not propagated to ejb session context
Anil Saldhana
Anil.Saldhana at redhat.com
Fri Oct 14 14:43:12 EDT 2011
Dieter,
we have to test this scenario. There may be an issue with the
ejbContext.getCallerPrincipal() code. But I would not term this issue
as a *major* security issue. It would be major if you got a principal
when you are not supposed to.
Also I am unsure how your code can work because you need to prefix the
form-login-page with "/". AS7 throws error if the jsp is not starting
with a "/"
------------------------------
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
-----------------------------
Since you are using the standard FORM authentication, you do not need
the valve setting in jboss-web.xml. That is used only when you write
your own custom authenticator.
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
Regards,
Anil
On 10/14/2011 12:54 PM, Dieter Tengelmann wrote:
> Major security bug or configuration problem?
> The principal is not propagated to ejb session context. Is this a
> known bug?
> Or is anything wrong with my configuration? I've tested it with the
> nightly build of 2010-10-08
>
> jboss-web.xml:
> --------
> <security-domain
> flushOnSessionInvalidation="true">myDomain</security-domain>
> <valve>
> <class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>
> </valve>
> ---------
>
> security-configuration in standalone.xml
> ----------
> <security-domain name="myDomain">
> <authentication>
> <login-module
> code="org.jboss.security.auth.spiDatabaseServerLoginModule"
> flag="required">
> <module-option name="debug" value="true" />
> <module-option name="dsJndiName" value="java:/mydb" />
> <module-option name="principalsQuery" value="SELECT passwd etc" />
> <module-option name="rolesQuery" value="SELECT role etc." />
> <module-option name="unauthenticatedIdentity" value="nobody" />
> </login-module>
> </authentication>
> </security-domain>
>
> Ejb session bean
> -------------
> @Stateless(name="MyService")
> @TransactionManagement(TransactionManagementType.CONTAINER)
> @org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")
> public class MyServiceBean {
>
>
> @Resource SessionContext ctx;
>
> ---------------------------
>
> jboss.xml
> ----------------------
> <security-domain>myDomain</security-domain>
> ----------------------
>
> web.xml
> ----------------------------
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>login.jsp</form-login-page>
> <form-error-page>login-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> ----------------------------
>
>
> With this configuration ctx.getCallerPrincipal() delivers "anonymous"
> principal, and not the successful logged in one
>
> If I remove security-domain from ejb session bean, I get a
> javax.ejb.EJBException: java.lang.IllegalStateException: No principal
> available
>
> Is there a workaraound, where exactly is the principal propagated to
> ejb. Can I use a customized class somewhere?
>
>
> I've posted already in the forum, without success:
> http://community.jboss.org/thread/173494
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-as7-dev/attachments/20111014/ad9de696/attachment.html
More information about the jboss-as7-dev
mailing list