[jboss-as7-dev] The principal is not propagated to ejb session context

Fri Oct 14 15:52:00 EDT 2011

Hi Dieter,
   as mentioned in thread http://community.jboss.org/thread/173494,  I 
see that Carlo/Darran have a test case in our testsuite to test this 
scenario.

Have a look at the provided links.

Regards,
Anil

On 10/14/2011 01:43 PM, Anil Saldhana wrote:
> Dieter,
>   we have to test this scenario. There may be an issue with the 
> ejbContext.getCallerPrincipal() code.  But I would not term this issue 
> as a *major* security issue.  It would be major if you got a principal 
> when you are not supposed to.
>
> Also I am unsure how your code can work because you need to prefix the 
> form-login-page with "/".   AS7 throws error if the jsp is not 
> starting with a "/"
>
> ------------------------------
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/login-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> -----------------------------
>
> Since you are using the standard FORM authentication, you do not need 
> the valve setting in jboss-web.xml.  That is used only when you write 
> your own custom authenticator.
> http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
>
> Regards,
> Anil
>
> On 10/14/2011 12:54 PM, Dieter Tengelmann wrote:
>> Major security bug or configuration problem?
>> The principal is not propagated to ejb session context. Is this a 
>> known bug?
>> Or is anything wrong with my configuration? I've tested it with the 
>> nightly build of 2010-10-08
>>
>> jboss-web.xml:
>> --------
>> <security-domain 
>> flushOnSessionInvalidation="true">myDomain</security-domain>
>> <valve>
>> <class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>
>> </valve>
>> ---------
>>
>> security-configuration in standalone.xml
>> ----------
>> <security-domain name="myDomain">
>> <authentication>
>> <login-module 
>> code="org.jboss.security.auth.spiDatabaseServerLoginModule" 
>> flag="required">
>> <module-option name="debug" value="true" />
>> <module-option name="dsJndiName" value="java:/mydb" />
>> <module-option name="principalsQuery" value="SELECT passwd etc" />
>> <module-option name="rolesQuery" value="SELECT role etc." />
>> <module-option name="unauthenticatedIdentity" value="nobody" />
>> </login-module>
>> </authentication>
>> </security-domain>
>>
>> Ejb session bean
>> -------------
>> @Stateless(name="MyService")
>> @TransactionManagement(TransactionManagementType.CONTAINER)
>> @org.jboss.ejb3.annotation.SecurityDomain(value = "myDomain")
>> public class MyServiceBean {
>>
>>
>> @Resource SessionContext ctx;
>>
>> ---------------------------
>>
>> jboss.xml
>> ----------------------
>> <security-domain>myDomain</security-domain>
>> ----------------------
>>
>> web.xml
>> ----------------------------
>> <login-config>
>> <auth-method>FORM</auth-method>
>> <form-login-config>
>> <form-login-page>login.jsp</form-login-page>
>> <form-error-page>login-error.jsp</form-error-page>
>> </form-login-config>
>> </login-config>
>> ----------------------------
>>
>>
>> With this configuration ctx.getCallerPrincipal() delivers "anonymous" 
>> principal, and not the successful logged in one
>>
>> If I remove security-domain from ejb session bean, I get a
>> javax.ejb.EJBException: java.lang.IllegalStateException: No principal 
>> available
>>
>> Is there a workaraound, where exactly is the principal propagated to 
>> ejb. Can I use a customized class somewhere?
>>
>>
>> I've posted already in the forum, without success: 
>> http://community.jboss.org/thread/173494
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-as7-dev/attachments/20111014/cda335d5/attachment-0001.html 