[jboss-user] [Security & JAAS/JBoss] - Arrggh! JAAS Policy File with JBOSS - Please Help!
jgilmore
do-not-reply at jboss.com
Tue Dec 11 10:59:30 EST 2007
My application security runs great in Tomcat but when I run it in JBoss it doesn't work.
I have deployed a DynamicLoginConfig MBean to specify the location of my custom login-config.xml:
jboss-service.xml:
<server>
|
| <!-- JG:
| Added this mbean so that jboss will look first in META-INF for the login config before looking in the config directory
| of the jboss root-->
| <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
| name="jboss:service=DynamicLoginConfig">
| <attribute name="AuthConfig">META-INF/jboss-login-config.xml</attribute>
| <!-- The service which supports dynamic processing of login-config.xml
| configurations.
| -->
| <depends optional-attribute-name="LoginConfigService">
| jboss.security:service=XMLLoginConfig
| </depends>
| <!-- Optionally specify the security mgr service to use when
| this service is stopped to flush the auth caches of the domains
| registered by this service.
| -->
| <depends optional-attribute-name="SecurityManagerService">
| jboss.security:service=JaasSecurityManager
| </depends>
| </mbean>
| </server>
Where jboss-login-config.xml looks like this:
<policy>
|
| <application-policy name="CustomerAdmin">
| <authentication>
| <login-module code="com.ftid.custadmin.security.HibernateLoginModule" flag="required">
| <module-option name="policy">META-INF/ClientAdmin.policy</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| </policy>
This works great, when logging into my application on JBoss my custom HibernateLoginModule class is called. However, I have a JAAS Policy file that looks like this..
|
| grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" {
| permission com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*";
| permission com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*";
| };
|
| grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" {
| permission com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*";
| };
|
| etc.
|
How do I get the JBoss SecurityManager to read this JAAS policy file??
In tomcat I simply had to do the following which works very well:
| System.setProperty("java.security.auth.login.config", sc.getRealPath("/WEB-INF/jaas.properties"));
| System.setProperty("java.security.auth.policy", sc.getRealPath("/WEB-INF/ClientAdmin.policy"));
| SecurityManager sm = System.getSecurityManager();
| .
| .
| .
| Permission perm = new ViewIdPermission("/client/clientEdit");
| sm.checkPermission(perm);
|
When this code runs in JBoss an AccessControlException is thrown. It seems that JBoss creates it's own SecurityManager that hasn't been set up using my Policy file.
HOW DO I GET JBOSS TO READ MY POLICY FILE ?? Please Help!!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4111987#4111987
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4111987
More information about the jboss-user
mailing list