[jboss-user] [Security & JAAS/JBoss] - Arrggh! JAAS Policy File with JBOSS - Please Help!

jgilmore do-not-reply at jboss.com
Tue Dec 11 10:59:30 EST 2007 

My application security runs great in Tomcat but when I run it in JBoss it doesn't work.

I have deployed a DynamicLoginConfig MBean to specify the location of my custom login-config.xml:

jboss-service.xml:
<server>
  | 
  |    <!-- JG:
  | 	Added this mbean so that jboss will look first in META-INF for the login config before looking in the config directory
  | 	of the jboss root-->
  |    <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
  |       name="jboss:service=DynamicLoginConfig">
  |       <attribute name="AuthConfig">META-INF/jboss-login-config.xml</attribute>
  |       <!-- The service which supports dynamic processing of login-config.xml
  | 	 configurations.
  |       -->
  |       <depends optional-attribute-name="LoginConfigService">
  | 	 jboss.security:service=XMLLoginConfig
  |       </depends>
  |       <!-- Optionally specify the security mgr service to use when
  | 	 this service is stopped to flush the auth caches of the domains
  | 	 registered by this service.
  |       -->
  |       <depends optional-attribute-name="SecurityManagerService">
  | 	 jboss.security:service=JaasSecurityManager
  |       </depends>
  |    </mbean>
  | </server>

Where jboss-login-config.xml looks like this:

<policy>
  |     
  |     <application-policy name="CustomerAdmin"> 
  |         <authentication> 
  |             <login-module code="com.ftid.custadmin.security.HibernateLoginModule" flag="required">
  |                 <module-option name="policy">META-INF/ClientAdmin.policy</module-option>
  |             </login-module>
  |         </authentication> 
  |     </application-policy> 
  |        
  | </policy>

This works great, when logging into my application on JBoss my custom HibernateLoginModule class is called.  However, I have a JAAS Policy file that looks like this..


  | 
  | grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" {
  |     permission  com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*";
  |     permission  com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*";
  | };
  | 
  | grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" {
  |     permission  com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*";
  | };
  | 
  | etc.
  | 

How do I get the JBoss SecurityManager to read this JAAS policy file??

In tomcat I simply had to do the following which works very well:


  | System.setProperty("java.security.auth.login.config", sc.getRealPath("/WEB-INF/jaas.properties"));
  | System.setProperty("java.security.auth.policy", sc.getRealPath("/WEB-INF/ClientAdmin.policy"));
  | SecurityManager sm = System.getSecurityManager();
  | .
  | .
  | .
  | Permission perm = new ViewIdPermission("/client/clientEdit");
  | sm.checkPermission(perm);
  | 

When this code runs in JBoss an AccessControlException is thrown.  It seems that JBoss creates it's own SecurityManager that hasn't been set up using my Policy file.  

HOW DO I GET JBOSS TO READ MY POLICY FILE ??  Please Help!!


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4111987#4111987

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4111987

More information about the jboss-user mailing list