[jboss-user] [Security] - Use EJB inside a LoginModule, repeated calls to login()

Wed, 09 Dec 2009 01:34:08 -0800 

We try to access a EJB stateless service inside a custom LoginModule. The 
problem is that the login() method is called again and again when the  the EJB 
stateless service is accessed.


  | public class DatabaseServerLoginModuleTm3 extends DatabaseServerLoginModule
  | {
  |     @Override
  |     public boolean login() throws LoginException
  |     {
  |         try {
  |             boolean successLogin = super.login();
  |             return successLogin;
  |         }
  |         catch ( LoginException e ) {
  |             increaseFailedLogins();
  |             throw e;
  |         }
  |     }
  | 
  |     private void increaseFailedLogins()
  |     {
  |         if ( this.getClaimedUsername() == null ) {
  |             return;
  |         }
  |         InitialContext ctx = new InitialContext();
  |         return (PersonServiceLocal) ctx.lookup( "PersonServiceBean/local" );
  | 
  |         PersonServiceLocal personService = lookupContactService();
  |         Person person = personService.getPersonByUsername( 
this.getClaimedUsername() );
  | 
  |         personService.increaseFailedLoginsForPerson( person );
  |     }
  | }
  | 

In jboss.xml we defined the security domain "TM3-security" for all beans:


  | <jboss>
  |     <security-domain>java:/jaas/TM3-security</security-domain>
  |     <unauthenticated-principal>guest</unauthenticated-principal>
  | </jboss>
  | 


In login-config.xml the used login-modules are defined:


  | <application-policy name = "TM3-security">
  |        <authentication>
  |                <login-module code = 
"org.jboss.security.auth.spi.RunAsLoginModule" flag = "required">
  |                             <module-option 
name="roleName">LoginModuleUser</module-option>
  |                </login-module>
  |                
  |                <login-module code = 
"com.tm3.erp.core.business.DatabaseServerLoginModuleTm3" flag = "required">
  |                             <module-option name = 
"unauthenticatedIdentity">guest</module-option>
  |                             <module-option name = 
"dsJndiName">java:/PostgresDS</module-option>
  |                             <module-option name = 
"ignorePasswordCase">false</module-option>
  |                             <module-option name = 
"principalsQuery">xy</module-option>               
  |                             <module-option name = 
"rolesQuery">xy</module-option>
  |                     </login-module>
  |                     
  |                     <login-module 
code="org.jboss.security.ClientLoginModule" flag="required">
  |                       <module-option 
name="multi-threaded">true</module-option>
  |                       <module-option 
name="restore-login-identity">true</module-option>
  |                     </login-module> 
  |        </authentication>
  |     </application-policy>
  | 

We tried to moved the called EJB (PersonService) to a different Security Domain 
using the annotions:
a) @org.jboss.ejb3.annotation.SecurityDomain("java:/jaas/other")
b) @org.jboss.security.annotation.SecurityDomain ("java:/jaas/other")

No success. Any ideas? Thank you.



View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4269747#4269747

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4269747
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to