[jboss-user] [EJB 3.0] - @Service + @Managment + @SecurityDomain throws Authorization

sappenin do-not-reply at jboss.com
Fri Jan 11 23:35:53 EST 2008 

I have a secured EJB3 @Service bean as follows:


  | @Service
  | @Management(MyClassInterfaceManagement.class)
  | @Local(MyClassInterface.class)
  | @SecurityDomain("myrealm")
  | @RolesAllowed( {
  | 	"admin", "system"
  | })
  | @RunAs("system")
  | public class MyClass implements MyClassInterface, MyClassInterfaceManagement
  | { ... }
  | 
  | 

I have the proper things setup in my login-conf.xml file, but when I deploy this class, I get an exception stating:


  | 21:11:05,887 WARN  [ServiceController] Problem creating service jboss.j2ee:ear=MyEar.ear,jar=MyJar.jar,name=MyClass,service=EJB3,type=ManagementInterface
  | javax.ejb.EJBAccessException: Authorization failure
  |         at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:113) 
  | 

What's wierd is that I can comment out the "@SecurityDomain("mydomain")" annotation, and I don't receive the exception when I start the server, and everything works fine.  This seems like a bug, although I'm not sure.  Any Idea what is going on?

My assumption is that by commenting out the @SecurityDomain annotation, the Management/Service is defaulting to the security domain specified in my jboss-app.xml file in my ear, which says: 


  | 
  | <jboss-app>
  |         <security-domain>myrealm</security-domain>
  |          .....
  | </jboss-app>
  | 
  | 

The applicable login-conf.xml snippets are below.  Thoughts?



  | 
  |  <application-policy name = "myrealm">
  |        	<authentication>
  | 		<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
  | 	               <module-option name = "dsJndiName">java:/myDS</module-option>
  |                        <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
  |                        <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
  |                        </module-option>
  |         	       <module-option name = "unauthenticatedIdentity">guest</module-option>
  | 		</login-module>
  | 		<!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->      
  |       		<login-module code="org.jboss.security.ClientLoginModule" flag="required" />
  |     	</authentication>
  | 
  | 


  | 
  | <application-policy name = "other">
  |       <authentication>
  |       		<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
  |       	               <module-option name = "dsJndiName">java:/myDS</module-option>
  |                              <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
  |                              <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
  |                              </module-option>
  |               	       <module-option name = "unauthenticatedIdentity">guest</module-option>
  |       		</login-module>
  |     	</authentication>
  | 
  | 


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4119296#4119296

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4119296

More information about the jboss-user mailing list