[JBoss-user] (no subject)

Mon, 21 Jan 2002 07:29:42 -0800 

Hi,

I'm using JBoss and Tomcat for my web application.

I have two stateful session ejbs: InsegnamentiEJB and MatDidEJB.

The MatDidEJB is restricted to a security domain, but the other is not.
So I did not specify any method permission in the ejb-jar.xml for the first bean, but 
only for the second one:

<assembly-descriptor>
    <security-role>
         <role-name>docente</role-name>
<assembly-descriptor>

<method-permission>
    <role-name>docente</role-name>
    <method>
         <ejb-name>MatDidEJB</ejb-name>
         <method-name>*</method-name>
    </method>
</method-permission>

I want to use the database login module for the authentication of users so I had to 
change the standard configurations adding the following jboss.xml:

<jboss> <security-domain>java:/jaas/modulojdbc</security-domain>
</jboss>

where modulojdbc is the JNDI name of the authorization configuration in the auth.conf 
file.

Then I have two JSPs: Insegnamenti.jsp and MatDid.jsp.

When the user connects to the first he/she doesn't need to be authenticated and can 
access to the related ejb.
On the bottom of the page there is a link to the other jsp and if the user clicks it 
he/she must authenticate himself/herself with a login form.

My web.xml contains the following:

<security-constraint>

  <web-resource-collection>
  <web-resource-name>area riservata</web-resource-name> 
                   <url-pattern>/MatDid.jsp</url-pattern>
                   <http-method>DELETE</http-method>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
                   <http-method>PUT</http-method>
  </web-resource-collection>

  <auth-constraint>
                   <role-name>docente</role-name>
  </auth-constraint>

</security-constraint>


The problem is that when the user connect to the Insegnamenti.jsp and tries to connect 
to the InsegnamentiEJB the following exception occurs:

                   javax.servlet.ServletException: checkSecurityAssociation; nested 
exception is: 
                   java.lang.SecurityException: Authentication exception, 
principal=null; nested exception is: 
                   java.rmi.RemoteException: checkSecurityAssociation; nested 
exception is: 
                   java.lang.SecurityException: Authentication exception, 
principal=null

It seems that as long as I set the jboss configuration with the jboss.xml, any user 
that try to access the beans must be authenticated! WHY?!

How can I restrict the authentication only to ONE particular ejb?

                   PLEASE HELP!!!!!

Thanks in advance

bye



_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to