[jboss-user] [Security] - Re: ejb not validating user role at session bean methods + J
akhilachuthan
do-not-reply at jboss.com
Wed Oct 21 07:13:49 EDT 2009
I configured my log4j with the details, but did not receive any log of concern..
---------------------------------------------------------------------------------
My login-config.xml snippet is given below
<application-policy name = "SecurityPolicy">
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
<module-option name="unauthenticatedIdentity">defaultuser</module-option>
<!-- Any existing security context will be restored on logout -->
<module-option name="restore-login-identity">true</module-option>
</login-module>
<login-module code="com.temp.component.security.LoginCheck" flag = "required">
<module-option name="unauthenticatedIdentity">defaultuser</module-option>
<!-- Any existing security context will be restored on logout -->
<module-option name="restore-login-identity">true</module-option>
</login-module>
</application-policy>
---------------------------------------------------------------------------------
content of the jboss.xml within my ear
<security-domain>java:/jaas/SecurityPolicy</security-domain>
---------------------------------------------------------------------------------
content of the jboss-web.xml in the war file within my ear
<jboss-web>
<security-domain flushOnSessionInvalidation="true">java:/jaas/SecurityPolicy</security-domain>
</jboss-web>
---------------------------------------------------------------------------------
I have defined the role as @RolesAllowed("WRONG_ROLE__FOR_FAILURE") for my ejb session bean method. There is no such role, but still i can access the method..
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261440#4261440
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4261440
More information about the jboss-user
mailing list