Hi,
I'm having problems setting up JAAS security in JBoss 3.2.3.
(I have few years experience as java programmer, but JBoss is relatively new to me). I
would be grateful if someone can help me with this problem.
I configured DatabaseServerLoginModule, set up Principals and Roles tables in HSQL as
described in JBoss documentation, written custom CallBack handler.
When I invoke login from servlet, Subject is found correctly as defined in database
tables and login parameters supplied to handler. So user was authenticated: user name
and role printed out correctly. The test code is:
LoginContext loginContext = new LoginContext("client-login", handler);
| loginContext.login();
| Subject subject = loginContext.getSubject();
| System.out.println("Subject from servlet : " + subject.toString());
| accDelegate = new AccountDelegate();
| String message = accDelegate.createAccountFacade();
| System.out.println(message);
When I try to create AccountFacade bean (stateful session bean), from accDelegate
object (Business Delegate and Service Locator design patterns are applied), I get
SecurityException insufficient method permissions. Required role=[Buyer] principal
roles=null. But servlet already confirmed that the Principal was authenticated with
the role 'Buyer'. It looks like the authenticated Subject is not propaged by the
container with the next method call.
The other settings are as follows:
| login-config.xml
| <policy>
| <!-- Used by clients within the application server VM such as
| mbeans and servlets that access EJBs.
| -->
| <application-policy name = "client-login">
| <authentication>
| <login-module code = "org.jboss.security.ClientLoginModule"
| flag = "required">
| </login-module>
| </authentication>
| </application-policy>
|
| <!--
=================================================================================
| LOG IN MODULE added by me
| Login module uses dabase to check user name and password -->
|
| <application-policy name = "dbAuthentication">
| <authentication>
| <login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name =
"unauthenticatedIdentity">nobody</module-option>
| <module-option name = "dsJndiName">java:/DefaultDS</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!--
=================================================================================== -->
|
| </policy>
|
| auth.conf
| other {
| // jBoss LoginModule
| org.jboss.security.ClientLoginModule required
| ;
|
| // Put your login modules that need jBoss here
| };
|
| client-login {
| // jBoss LoginModule
| org.jboss.security.ClientLoginModule required
| ;
|
| // Put your login modules that need jBoss here
| };
|
| dbAuthentication {
| // jBoss LoginModule added by me
| org.jboss.security.auth.spi.DatabaseServerLoginModule required
| ;
| unauthenticatedIdentity="nobody";
| dsJndiName="java:/DefaultDS"
|
| // Put your login modules that need jBoss here
| };
|
| jboss.xml
| <?xml version="1.0" encoding="UTF-8"?>
| <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 3.2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_3_2.dtd";>
| <jboss>
| <security-domain>java:/jaas/dbAuthentication</security-domain>
| <unauthenticated-principal>nobody</unauthenticated-principal>
| <enterprise-beans>
| <session>
| <ejb-name>AccountFacadeBean</ejb-name>
| <jndi-name>AccountFacadeBean</jndi-name>
| </session>
| <session>
| <ejb-name>AccountControl</ejb-name>
| <jndi-name>AccountControl</jndi-name>
| <local-jndi-name>AccountControlLocal</local-jndi-name>
| </session>
| </enterprise-beans>
| </jboss>
|
| ejb-jar.xml
| ................ other tags ............
| <security-role>
| <role-name>Buyer</role-name>
| </security-role>
| <security-role>
| <role-name>Supplier</role-name>
| </security-role>
| <method-permission>
| <role-name>Buyer</role-name>
| <method>
| <ejb-name>AccountFacadeBean</ejb-name>
| <method-intf>Home</method-intf>
| <method-name>create</method-name>
| </method>
| <method>
| <ejb-name>AccountFacadeBean</ejb-name>
| <method-intf>Remote</method-intf>
| <method-name>getUser</method-name>
| </method>
| </method-permission>
|
Thank you in advance
Natalia
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3844043#3844043
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3844043
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
