[jboss-user] [Security & JAAS/JBoss] - Re: Authentication in ejb container fails to use security do

Mon, 15 Jun 2009 10:50:11 -0700 

Thanks for your responses.
We have tried using JBoss 5.1.0GA and ran into exactly the same problem.
We also tried using <security-domain>FileNet</security-domain> as jaikiran 
mentioned, and the result was the same.

We could ran Java client application using EJB transport without problems.
This problem only occurs when we use an application that uses Web Services 
transport to connect to our application engine, which involves in having the 
WSI listener propagating the security information to EJB's security domain for 
authentication.  Our WSI listener is implemented as a web servlet in JBoss web 
container which invokes FnClientLoginModule initially under the 
"FileNetP8Engine" application-policy, the authentication against LDAP is then 
performed in EJB container through the "FileNet" application-policy which is 
defined as the EJB security domain in jboss.xml.

Here is the excerpt of the login-config.xml:

<?xml version="1.0" encoding="UTF-8"?>

<application-policy name="FileNetP8Engine">
        
            <login-module 
code="com.filenet.api.authentication.jboss.login.FnClientLoginModule" 
flag="required">
                <module-option name="multi-threaded">true</module-option>
            </login-module>
        
</application-policy>
<application-policy name = "FileNet">
  
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 
flag="required">
      <module-option 
name="java.naming.provider.url">ldap://ldaphost:389</module-option>
      <module-option 
name="java.naming.security.authentication">simple</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option 
name="bindDN">cn=CEAdmin,ou=FileNet,dc=ldaphost,dc=com</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">dc=ldaphost,dc=com</module-option>
      <module-option name="baseFilter">(cn={0})</module-option>
      <module-option name="rolesCtxDN">dc=ldaphost,dc=com</module-option>
      <module-option name="roleFilter">(uniqueMember={0})</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="uidAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
    </login-module>
  
</application-policy>


This mechanism has been working in JBoss 4.0.5 and 4.2.x.

We will try reproduce the problem on a sample application.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4237730#4237730

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4237730
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to