[jboss-user] [Security & JAAS/JBoss] - Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

danieldestro do-not-reply at jboss.com
Tue Oct 3 13:08:40 EDT 2006

Hello all,

I am trying to build a very simple JavaEE application with JAAS, but I getting mad.

I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.

First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:

<application-policy name="exemplo1">
  | 	<authentication>
  | 		<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
  | 			<module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
  | 			<module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
  | 			<module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
  | 		</login-module>
  | 	</authentication>
  |  </application-policy>

Next I configured the "web.xml" file like this:

  | 	<web-resource-collection>
  | 		<web-resource-name>Restricted</web-resource-name>
  | 		<description>Declarative security tests</description>
  | 		<url-pattern>*.do</url-pattern>
  | 	</web-resource-collection>
  | 	<auth-constraint>
  | 		<role-name>xxx</role-name>
  | 	</auth-constraint>
  | 	<user-data-constraint>
  | 		<description>no description</description>
  | 		<transport-guarantee>NONE</transport-guarantee>
  | 	</user-data-constraint>
  | </security-constraint>
  | <login-config>
  | 	<auth-method>FORM</auth-method>
  | 	<realm-name>exemplo1</realm-name>
  | 	<form-login-config>
  | 		<form-login-page>/login.jsp</form-login-page>
  | 		<form-error-page>/loginErro.jsp</form-error-page>
  | 	</form-login-config>
  | </login-config>
  | <security-role>
  | 	<description>Role xxx</description>
  | 	<role-name>xxx</role-name>
  | </security-role>

Notice that I am using the "xxx" role to protect the "*.do" URL pattern.

The "jboss-web.xml" is like this:

<?xml version="1.0"?>
  |  <jboss-web>
  |  	<security-domain>java:/jaas/exemplo1</security-domain>
  |  </jboss-web>

As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.

Now I wanna to be able to also protect my EJBs.

My Stateless Session Bean is implemented as follow:

  |  @Stateless(name="UserManagement")
  |  public class UserManagementBean implements UserManagement {
  |  	public void add(User user) {
  |  		//...
  |  	}
  |  }

When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.

If I add the "jboss.xml" file, like this:

<?xml version="1.0"?>
  |  <jboss>
  |  	<security-domain>java:/jaas/exemplo1</security-domain>
  |  </jboss>

I start getting this stack trace:

ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
  | java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
  | at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
  | at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
  | at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
  | at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
  | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | ... 

Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3975832#3975832

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3975832

More information about the jboss-user mailing list