[jboss-jira] [JBoss JIRA] Updated: (JBAS-4022) EJB security-domain tag in jboss.xml for a domain defined in login-config.xml only works if java:/jaas/ prefix is absent, contrary to the documentation.
Erica Kane (JIRA)
jira-events at jboss.com
Mon Jan 29 11:00:57 EST 2007
[ http://jira.jboss.com/jira/browse/JBAS-4022?page=all ]
Erica Kane updated JBAS-4022:
-----------------------------
Component/s: Security
> EJB security-domain tag in jboss.xml for a domain defined in login-config.xml only works if java:/jaas/ prefix is absent, contrary to the documentation.
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: JBAS-4022
> URL: http://jira.jboss.com/jira/browse/JBAS-4022
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.0.4.GA
> Environment: Clustered
> Reporter: Erica Kane
>
> I created a security domain in the the JBoss server login-config.xml:
> <application-policy name = "webappDomain">
> <authentication>
> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
> flag = "required">
> <module-option name = "dsJndiName">java:jdbc/web</module-option>
> <module-option name = "principalsQuery">select password from Users where username=?</module-option>
> <module-option name = "rolesQuery">select Role, 'Roles' from Roles where username=?</module-option>
> <module-option name = "unauthenticatedIdentity">guest</module-option>
> </login-module>
> </authentication>
> </application-policy>
> In jboss-web.xml, I have
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-web>
> <security-domain flushOnSessionInvalidation="true">java:/jaas/webappDomain</security-domain>
> <context-root>/web</context-root>
> </jboss-web>
> and this works perfectly for securing web pages. However, if I put the following tag in jboss.xml:
> <security-domain>java:/jaas/webappDomain</security-domain>
> I find that protected EJBs default to using the "other" security domain, as shown by error messages complaining about the missing user.properties file and so on (I have left "other" on the default setting of UsersRolesLoginModule).
> What DOES work is to put:
> <security-domain>webappDomain</security-domain>
> in jboss.xml without the java:/jaas/ prefix. However, this does not match the documentation. See
> http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html
> example 8.8. Of course there the tag is set to java:/jaas/other, which for this bug would default to "other" anyway.
> I think it is terribly confusing to have jboss.xml and jboss-web.xml using different forms for the security-domain, but even if this is necessary for some reason it should be corrected in the documentation. Other people appear to have run into this as well:
> http://forum.java.sun.com/thread.jspa?threadID=773530
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list