[jboss-user] [Security & JAAS/JBoss] - Declarative security in JBoss - Annotations and XML file com

david.malec do-not-reply at jboss.com
Thu Apr 12 03:13:43 EDT 2007 

Hello everybody

I have a problem with declarative security configuration in application. Finally I configured JAAS authentication/authorization for some of my EJB's using anntations like @SecurityDomain etc. It works properly.

I have configured login-config :

<application-policy name = "kusssdemo-policy">
  
    <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"/>   
    <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >              
        <module-option name="password-stacking">useFirstPass</module-option>
	<module-option name = "dsJndiName">java:/kusssdemo</module-option>
	<module-option name = "principalsQuery">...</module-option>
	<module-option name = "rolesQuery">...</module-option> 
        <module-option name="unauthenticatedIdentity">guest</module-option>                                              
    </login-module>                                                                                 
                                                                                      
</application-policy>
 
It's a swing application and I use custom ClientLoginModule to perform authentication (but for this case it doesn't matter I think)

But now I need to declare security in DD (ejb-jar.xml). I want to use the same roles, which I retrieve from DatabaseServerLoginModule to protect method from other EJB's.


my ejb-jar is : 
<ejb-jar>
....
<enterprise-beans>
      
         <ejb-name>DegreeBusinessLogicBean</ejb-name>   
         <ejb-class>at.jku.kusss.degreemngt.degree.facade.DegreeBusinessLogicBean</ejb-class>
         <session-type>Stateless</session-type>
		 <security-identity>
            <run-as>
               <role-name>admin</role-name>
            </run-as>
         </security-identity>
      
   </enterprise-beans>
   <assembly-descriptor>
      <security-role>
        <role-name>admin</role-name>
      </security-role>
      <method-permission>
         <role-name>admin</role-name>
         
            <ejb-name>DegreeBusinessLogicBean</ejb-name>
            <method-name>*</method-name>
         
     </method-permission>
...
</ej-jar>

I'm using JBoss 4.2.0CR1 and I found that tag <security-role-ref> is not implemented yet.

my jboss.xml :


  
    <security-domain>java:/jaas/kusssdemo-policy</security-domain>
    <enterprise-beans>
      
        <ejb-name>DegreeBusinessLogicBean</ejb-name>
        <jndi-name>ejb/DegreeBusinessLogicBean</jndi-name>
      
    </enterprise-beans>
  


But it does not work, the EJB can access everybody. 

PLEASE can you help me, am I missing something?

Thanks an wish a nice day

David

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4036615#4036615

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4036615

More information about the jboss-user mailing list