[jboss-user] [Security & JAAS/JBoss] - Simple JAAS authentication not working....

j0llyr0g3r do-not-reply at jboss.com
Mon Jun 9 11:17:54 EDT 2008

Hey folks, 

i am really becoming desperate with Jboss + JAAS.

I have a very simple RMI client which connects to a Stateless Session Bean running within a Jboss 4.2.

This scenario works perfectly well. Now i want to secure access to my EJB by  allowing only authenticated clients to call the EJB's method.

Based on the official documentation: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html

i started out with the most simple authentication possible using UsersRolesLoginModule as login module:

    *  Create the file users.properties in the ejb-jar subproject under the directory META-INF: 

  | user=secretuserpassword 

    * Create the file roles.properties in the ejb-jar subproject under the directory META-INF: 

  | admin=adminRole
  | user=userRole 

    * Add a ejb-jar.xml to the ejb-jar subproject under the directory META-INF: 

  | <ejb-jar> 
  |   <assembly-descriptor>
  |      <security-role>
  |      	<description>admin: only allowed users</description>
  |      	<role-name>adminRole</role-name>
  |      </security-role>
  |      <security-role>
  |      	<description>users: the rest</description>
  |      	<role-name>userRole</role-name>
  |      </security-role>
  |      <method-permission>
  |      	<role-name>admin</role-name>
  |      	<method>
  |      		<ejb-name>SendCommand</ejb-name>
  |      		<method-name>*</method-name>
  |      	</method>	
  |      </method-permission>
  |   </assembly-descriptor>
  | </ejb-jar>

    * Add the file jboss.xml under the directory /$PROJECT-ROOT/META-INF 

  |   <security-domain>java:/jaas/esf</security-domain> 
  |   <enterprise-beans>  
  |     <session>
  |       <ejb-name>SendCommand</ejb-name>
  |       <jndi-name>SendCommand</jndi-name>
  |     </session>
  |   </enterprise-beans>
  | </jboss> 

    * Adjust the file login-config.xml under the directory $JBOSS_HOME/server/$PROFILE/conf/ 

<application-policy name = "esf">
  |  <authentication>
  |    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" />
  |  </authentication>
  | </application-policy>

So far, so good....

If i rebuild my application and inspect the EAR's content, i see all the expected files there, meaning jboss.xml, user.properties etc....

But: I can still connect with my RMI-client to my EJB even without giving credentials at all!
No error messages, no exceptions....

Any ideas what went wrong here?

Is there a way to check what Jboss sees as a security domain?

P.S.: Jaas may be great due to its modularity, but it is horrible, unbelievably horrible to configure for a Jaas-beginner. This is an utter catastrophy, how long do i have to study Jaas to get a simple authentication working?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4156738#4156738

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4156738

More information about the jboss-user mailing list