I hate to type this, but I?m having issues with JAAS caller principal propagation.
For what it?s worth, I am running 3.2.6 with a DatabaseLoginModule configured. I added the ClientLoginModule bit after reading some of the other posts here. Needless to say, I've tried removing and relocating it. <application-policy name = "fusion"> | <authentication> | <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" | flag = "required"> | <module-option name="debug">true</module-option> | <module-option name="password-stacking">useFirstPass</module-option> | <module-option name="unauthenticatedIdentity">mikeh</module-option> | <module-option name = "dsJndiName">java:/fusion</module-option> | <module-option name = "principalsQuery">select Password from V_SYS_USER where UID=?</module-option> | <module-option name = "rolesQuery">select Role, null from V_SYS_USER_ROLES where UID=?</module-option> | </login-module> | <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> | </authentication> | </application-policy> Basically, all my userID?s and Roles are working perfectly on the client side. I am happily authenticating via Jaas and can successfully check roles. All is well with the world in JSP land. My JSPs are secured by my security-domain and are using FORM based authentication. The issue seems to be with propagating the authenticated Principal to the EJB world. I have my ejb-jar.xml entries set to <security-identity><use-caller-identity/></security-identity>?, but the container is always interpreting the caller as the ?unauthenticatedIdentity? as defined in my Login Module. When SecurityInterceptor:checkSecurityAssociation(Invocation mi) is called, the principal is null. So by this stage I guess it hasn?t been able to obtain the <use-caller-identity>. When the container gets around to JaasSecurityManager: doesUserHaveRole() | SubjectActions.getActiveSubject() returns the subject for the ?unauthenticatedIdentity? and all it?s associated roles. Authentication definitely works but only because an unauthenticatedIdentity has been supplied. If I remove it from login-conf.xml, then I can?t log in to my app, likewise if I remove critical roles. I?m sure I shouldn?t have to delve so deep in to the bowels of JBOSS to get this configured right? I have read Chapter 8 and every post that seemed vaguely related to this issue (of which there are many!). But call me thick, it seems 2 steps forward 1 step back. Any and all pointers gratefully accepted. Thx Mike View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3879001#3879001 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3879001 ------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user