[jboss-jira] [JBoss JIRA] Created: (JBAS-4022) EJB security-domain tag in jboss.xml for a domain defined in login-config.xml only works if java:/jaas/ prefix is absent, contrary to the documentation.

Erica Kane (JIRA) jira-events at jboss.com
Thu Jan 25 12:00:57 EST 2007 

EJB security-domain tag in jboss.xml for a domain defined in login-config.xml only works if java:/jaas/ prefix is absent, contrary to the documentation.
--------------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: JBAS-4022
                 URL: http://jira.jboss.com/jira/browse/JBAS-4022
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: JBossAS-4.0.4.GA
         Environment: Clustered
            Reporter: Erica Kane


I created a security domain in the the JBoss server login-config.xml:

<application-policy name = "webappDomain">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
             <module-option name = "dsJndiName">java:jdbc/web</module-option>
             <module-option name = "principalsQuery">select password from Users where username=?</module-option>
             <module-option name = "rolesQuery">select Role, 'Roles' from Roles where username=?</module-option>
             <module-option name = "unauthenticatedIdentity">guest</module-option>
          </login-module>
       </authentication>
    </application-policy>

In jboss-web.xml, I have


<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain flushOnSessionInvalidation="true">java:/jaas/webappDomain</security-domain> 
  <context-root>/web</context-root>
 </jboss-web>


and this works perfectly for securing web pages.  However, if I put the following tag in jboss.xml:

<security-domain>java:/jaas/webappDomain</security-domain>

I find that protected EJBs default to using the "other" security domain, as shown by error messages complaining about the missing user.properties file and so on (I have left "other" on the default setting of UsersRolesLoginModule).

What DOES work is to put:

<security-domain>webappDomain</security-domain>

in jboss.xml without the java:/jaas/ prefix.  However, this does not match the documentation.  See

http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html

example 8.8.  Of course there the tag is set to java:/jaas/other, which for this bug would default to "other" anyway.

I think it is terribly confusing to have jboss.xml and jboss-web.xml using different forms for the security-domain, but even if this is necessary for some reason it should be corrected in the documentation.  Other people appear to have run into this as well:

http://forum.java.sun.com/thread.jspa?threadID=773530


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list