[JBoss-dev] JBoss 5 autenthication / authorization problem

Mon Feb 2 10:24:51 EST 2009

Hello,

I'm having problems integrating JBoss 5 authentication / authorization in my
application. I'm using EJB3, JSF 2 (but it's maven project, so actually
JBoss JSF implementation is used) + Facelets.

The configuration is as follows:

1. First i've added jboss-web.xml to my WEB-INF directory. File content
looks like this:
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
	<security-domain>java:/jaas/toy-shop-realm</security-domain>
</jboss-web>

2. I have added security domain configuration to login-config.xml located in
JBOSS_INSTALL_DIR\server\default\conf\ like this:
   <application-policy name="toy-shop-realm">
    <authentication>
	  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
	    <module-option
name="usersProperties">props/toy-shop-users.properties</module-option>
        <module-option
name="rolesProperties">props/toy-shop-roles.properties</module-option>
		<module-option
name="securityDomain">java:/jaas/toy-shop-realm</module-option>
	  </login-module>
	</authentication>
  </application-policy>

As you can see there are two files: toy-shop-users.properties and
toy-shop-roles.properties in JBOSS_INSTALL_DIR\server\default\conf\props\
directory.

toy-shop-users.properties content is as simple as:
admin=admin
user=user

and toy-shop-roles.properties:
admin=admin
user=user

3. I have defined URL addresses security in web.xml in WEB-INF directory:

<security-constraint>
		<web-resource-collection>
			<web-resource-name>all</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>user</role-name>
		</auth-constraint>
	</security-constraint>

	<security-role>
		<role-name>admin</role-name>
	</security-role>
	<security-role>
		<role-name>user</role-name>
	</security-role>

	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/error.jsp</form-error-page>
		</form-login-config>
	</login-config>

The login.jsp page simply uses j_security_check for authentication.

4. And finally some security annotation in EJB bean:
@SecurityDomain("toy-shop-realm")
@RolesAllowed({"admin", "user"})
@Stateless
public class PaymentLogic implements PaymentContract {

	@EJB(mappedName="PaymentJpaDao/local")
	private PaymentDao paymentDao;

        @RolesAllowed({"admin"})
	public List<Payment> getActivePayments() {
		return paymentDao.getActivePayments();
	}
}

PaymentContract is simple interface with one method and no annotations.
PaymentJpaDao is defined as Stateless bean.

Now, when i start the application it requires authentication. If i provide
non-defined user name i will not go through. If it's 'user' or 'admin'
defined in properties file it is ok. But it looks like security annotations
are completely ignored. Everybody can invoke getActivePayments method. Web
application is tested as war (will be packed as ear in future) and it uses
another library with defined EJB's (PaymentLogic, PaymentJpaDao, etc.). Now
if i add jboss.xml file to META-INF directory of this library then when i
invoke getActivePayments logged as 'user' i'll get  EJBAccessException:
Caller unauthorized. This is great. But when i invoke it as 'admin', i'll
get the 403 error - access denied. If I add <role-name>admin</role-name> in
<auth-constraint> in web.xml i'll also get EJBAccessException: Caller
unauthorized.

What am i missing?

Thx for any help.
-- 
View this message in context: http://www.nabble.com/JBoss-5-autenthication---authorization-problem-tp21788918p21788918.html
Sent from the JBoss - Dev mailing list archive at Nabble.com.