[jboss-user] [EJB 3.0] - @Service + @Managment + @SecurityDomain throws Authorization
sappenin
do-not-reply at jboss.com
Fri Jan 11 23:35:53 EST 2008
I have a secured EJB3 @Service bean as follows:
| @Service
| @Management(MyClassInterfaceManagement.class)
| @Local(MyClassInterface.class)
| @SecurityDomain("myrealm")
| @RolesAllowed( {
| "admin", "system"
| })
| @RunAs("system")
| public class MyClass implements MyClassInterface, MyClassInterfaceManagement
| { ... }
|
|
I have the proper things setup in my login-conf.xml file, but when I deploy this class, I get an exception stating:
| 21:11:05,887 WARN [ServiceController] Problem creating service jboss.j2ee:ear=MyEar.ear,jar=MyJar.jar,name=MyClass,service=EJB3,type=ManagementInterface
| javax.ejb.EJBAccessException: Authorization failure
| at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:113)
|
What's wierd is that I can comment out the "@SecurityDomain("mydomain")" annotation, and I don't receive the exception when I start the server, and everything works fine. This seems like a bug, although I'm not sure. Any Idea what is going on?
My assumption is that by commenting out the @SecurityDomain annotation, the Management/Service is defaulting to the security domain specified in my jboss-app.xml file in my ear, which says:
|
| <jboss-app>
| <security-domain>myrealm</security-domain>
| .....
| </jboss-app>
|
|
The applicable login-conf.xml snippets are below. Thoughts?
|
| <application-policy name = "myrealm">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
| <module-option name = "dsJndiName">java:/myDS</module-option>
| <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
| <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
| </module-option>
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| </login-module>
| <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->
| <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
| </authentication>
|
|
|
| <application-policy name = "other">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
| <module-option name = "dsJndiName">java:/myDS</module-option>
| <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
| <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
| </module-option>
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| </login-module>
| </authentication>
|
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4119296#4119296
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4119296
More information about the jboss-user
mailing list