[jboss-user] [EJB 3.0] - security problem after migrationg to ejb3

Tue Feb 6 17:05:55 EST 2007

migrated project to ejb3
looks like it won't take my security domain, because it uses UsernamePasswordLoginModule instead of my custom one =|
although during deployment it says it will take db_store as sec. domain (last listing)

my bean
@Stateless(name = "UserEJB")
  | @Remote(User.class)
  | @TransactionManagement
  | @SecurityDomain("db_store")
  | public class UserBean implements User {
  | ...
  |     @TransactionAttribute(TransactionAttributeType.SUPPORTS)
  |     @PermitAll
  |     public void create() throws CreateException 
  |     }
  | }

my security domain
    <application-policy name="db_store">
  |       <authentication>
  |         <login-module code="ru.***.PermLoginModule" flag="sufficient">
  |           <module-option name="dsJndiName">
  |             DS/Standard
  |           </module-option>
  |           <module-option name="principalsQuery">
  |             SELECT pml_secret FROM permanentlogin p JOIN users u ON (p.usr_id = u.usr_id) WHERE usr_login = ? AND p.pml_secret = ? AND usr_isdeleted = 0
  |           </module-option>
  |           <module-option name="rolesQuery">
  |             SELECT 'CommonUser', 'Roles' FROM users WHERE usr_login = ? AND usr_isdeleted = 0
  |           </module-option>
  |           <module-option name="ignorePasswordCase">false</module-option>
  |           <module-option name="unauthenticatedIdentity">nobody</module-option>
  |         </login-module>
  | 
  | 
  |         <login-module code="ru.***.SCLoginModule" flag="required">
  |           <module-option name="dsJndiName">
  |             DS/Standard
  |           </module-option>
  |           <module-option name="principalsQuery">
  |             SELECT usr_password FROM users WHERE usr_login = ? AND usr_isdeleted = 0
  |           </module-option>
  |           <module-option name="rolesQuery">
  |             SELECT 'CommonUser', 'Roles' FROM users WHERE usr_login = ? AND usr_isdeleted = 0
  |           </module-option>
  |           <module-option name="ignorePasswordCase">false</module-option>
  |           <module-option name="unauthenticatedIdentity">nobody</module-option>
  |         </login-module>
  |       </authentication>
  |     </application-policy>
  | 

my exception:
javax.ejb.EJBAccessException: Authentication failure
  |         at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:70)
  |         at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
  |         at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:263)
  |         at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:58)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:102)
  |         at $Proxy595281.create(Unknown Source)
  |         at ru.***.ejb.BeanHelper.getUserBean(BeanHelper.java:154)
  |         ... 21 more
  | Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
  |         at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
  |         at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | 

deployment:
2007-02-07 00:50:32,023 DEBUG [Ejb3DescriptorHandler] adding class annotation org.jboss.annotation.security.SecurityDomain to ru.***.ejb.main.user.UserBean SecurityDomainImpl[value=java:/jaas/db_store, unauthenticatedPrincipal=null]
  | 2007-02-07 00:50:32,023 DEBUG [Ejb3DescriptorHandler] adding class annotation org.jboss.annotation.security.SecurityDomain to ru.***.ejb.main.user.UserBean SecurityDomainImpl[value=java:/jaas/db_store, unauthenticatedPrincipal=null]
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012162#4012162

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4012162