[jboss-user] [Security & JAAS/JBoss] - SecurityDomain annotation required when called from JMX cons
batter
do-not-reply at jboss.com
Wed Jun 13 18:14:02 EDT 2007
Playing around with roles and my ejb and added the @RolesAllowed("SYSTEM") annotation. I created my own realms as follows:
| <application-policy name="MyModule">
| <authentication>
|
| <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
| <module-option name="dsJndiName">java:/MyDS</module-option>
| <module-option name="principalsQuery">SELECT account.password FROM ACCOUNTS account, PRINCIPALS principal WHERE principal.name=? and account.id = principal.id</module-option>
|
| <module-option name="rolesQuery">SELECT entry.role, 'Roles' FROM ROLE_ENTRY entry, PRINCIPALS account WHERE entry.principal = account.id and account.name=?</module-option>
| </login-module>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">
| <module-option name="usersProperties">props/my-users.properties</module-option>
| <module-option name="rolesProperties">props/my-roles.properties</module-option>
| </login-module>
|
| <!-- Client Login module so that the security context can be set for invoking EJBs -->
| <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
| <module-option name="restore-login-identity">true</module-option>
| </login-module>
|
| </authentication>
| </application-policy>
|
|
The ejb is called from the JMX Service using by doing a local jndi lookup and calling the method. For JMX I only get this to work when I also add the @SecurityDomain("MyDomain") annotation to the bean.
When I do not do that, it used the jmx-console realm, but even when I copy/past the above into that realm, the jmx-console is allowed to call the method. When I look at the security trace, I see that the SYSTEM role is not part of the credentials (as I was expecting) but the call gets executed anyways. Do I have to muck around in the tomcat configuration somewhere ?
Output:
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[system(ADMIN,JBossAdmin,)]
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: JBossAdmin
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[system(ADMIN,JBossAdmin,)]
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
| Principal: system
| Principal: Roles(members:ADMIN,JBossAdmin)
| , sc=org.jboss.security.SecurityAssociation$SubjectContext at 186e848{principal=system,subject=30019131}
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 1fc0932{principal=system,subject=null}
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 1bfdaa4{principal=system,subject=null}
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
|
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4054148#4054148
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4054148
More information about the jboss-user
mailing list