[JBoss-user] [Security & JAAS/JBoss] - Chained Login Modules and IsCallerInRole()

Wed, 18 May 2005 06:59:47 -0700 

Hi,

we would like to secured EJB access in such a way, that even unauthenticated 
calls (principal=null) will be excuted with an assigned default principal and 
default role (which we need for an additional  IsCallerInRole() based security 
test within the EJB method itself).

We setup the following chained login module configuration:


  |     <!-- Chained Security Domain -->
  |     <application-policy name = "ChainedSecurityRealm">
  |        <authentication>
  | 
  |            <!-- try authentication lookup user/roles in security database 
-->
  |           <login-module code = 
"org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "sufficient">
  |              <module-option name = 
"dsJndiName">java:/SecurityDS</module-option>
  |              <module-option name = "principalsQuery">SELECT password FROM 
principals WHERE ....</module-option>
  |              <module-option name = "rolesQuery">SELECT role FROM roles 
WHERE ....</module-option>
  |           </login-module>
  | 
  |            <!-- fallback to DefaultPrincipal with role DefaultRole for 
unauthenticated callers -->
  |             <login-module 
code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required">
  |                 <module-option 
name="principal">DefaultPrincipal</module-option>
  |                 <module-option name="roles">DefaultRole</module-option>
  |             </login-module>
  | 
  |        </authentication>
  |     </application-policy>
  | 

If a caller cannot be authenticated by the first DatabaseServerLoginModule 
(sufficent), that a DefaultPrincipal with DefaultRole will always be assigned 
by the second IdentityLoginModule.

So far, so good, general authentication and authorization within the 
SecurityInterceptor of the EJB is propperly handled even for unauthenticated 
callers ( -> method access granted ). 

Unfortunately within the method itself a call to 
Context.isUserInRole("DefaultRole") still returns false, as the principal 
element in the bean context is still null (originally set to null on 
invocation, as the client did not provided authentication information). 

I would expect that the DefaultPrincipal and its DefaultRole should be assigned 
to the context principal element (which analogously happens for example in case 
of an explicit EJB role assignment via "run-as" tag)

Is this a bug or an expected behaviour ? 

Regards
Ulf





 

 

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878199#3878199

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3878199


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to