[jboss-user] [Security & JAAS/JBoss] - Re: Authentication policies conflict

tremalnaik do-not-reply at jboss.com
Mon May 19 05:31:14 EDT 2008


Sure, the jboss-web.xml security configuration for the application WAR is:

<security-domain flushOnSessionInvalidation="true">java:/jaas/bitastarRealm</security-domain>
  | 
the the jboss-web.xml security configuration for the WAR of the web services is:

<security-domain>java:/jaas/bitastarRealm_noDisable</security-domain>
  | 
and the application jboss.xml conf is 

<jboss>
  | 	<enterprise-beans>
  |       <session>
  |          <ejb-name>StarAccess</ejb-name>
  |          <jndi-name>StarAccess</jndi-name>
  |       </session>
  | 	  <session>
  | 	     <ejb-name>StarClientData</ejb-name>
  | 	     <jndi-name>StarClientData</jndi-name>
  | 	     <configuration-name>Secured Stateless SessionBean</configuration-name>
  |       </session>
  |       <session>
  | 	     <ejb-name>StarUserAdmin</ejb-name>
  | 	     <jndi-name>StarUserAdmin</jndi-name>
  | 	     <configuration-name>Secured Stateless SessionBean</configuration-name>
  |       </session>
  |    	</enterprise-beans>
  |    	<container-configurations>
  |         <container-configuration extends="Standard Stateless SessionBean">
  |             <container-name>Secured Stateless SessionBean</container-name>
  |             <security-domain>java:/jaas/bitastarRealm</security-domain>
  |         </container-configuration>
  |     </container-configurations>
  | </jboss>
  | 
  | 

The clients are authenticated by means of a EJB: the application Login Module invokes a method on the unsecured StarAccess (see above).

So, when the web services client accesses the main application web tier, the first time it is authenticated using the correct security domain (bitastarRealm_noDisable). But then, when the main application accesses the business tier cached domain informations, it uses the security domain configured in its own jboss.xml for the EJBs (bitastarRealm).

That is the problem, isn't it? Can you suggest any method to circumvent this? At the moment, as I told you, I simply disabled the caching (DefaultCacheTimeout set to 0), but this is not very satisfactory.

Thank you very much





View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4151695#4151695

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4151695



More information about the jboss-user mailing list