I hate to type this, but I?m having issues with JAAS caller principal
propagation.
For what it?s worth, I am running 3.2.6 with a DatabaseLoginModule configured.
I added the ClientLoginModule bit after reading some of the other posts here.
Needless to say, I've tried removing and relocating it.
<application-policy name = "fusion">
| <authentication>
| <login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name="debug">true</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| <module-option
name="unauthenticatedIdentity">mikeh</module-option>
| <module-option name = "dsJndiName">java:/fusion</module-option>
| <module-option name = "principalsQuery">select Password from
V_SYS_USER where UID=?</module-option>
| <module-option name = "rolesQuery">select Role, null from
V_SYS_USER_ROLES where UID=?</module-option>
| </login-module>
| <login-module code = "org.jboss.security.ClientLoginModule" flag
= "required"> </login-module>
| </authentication>
| </application-policy>
Basically, all my userID?s and Roles are working perfectly on the client side.
I am happily authenticating via Jaas and can successfully check roles. All is
well with the world in JSP land. My JSPs are secured by my security-domain and
are using FORM based authentication.
The issue seems to be with propagating the authenticated Principal to the EJB
world. I have my ejb-jar.xml entries set to
<security-identity><use-caller-identity/></security-identity>?, but the
container is always interpreting the caller as the ?unauthenticatedIdentity? as
defined in my Login Module.
When SecurityInterceptor:checkSecurityAssociation(Invocation mi) is called, the
principal is null. So by this stage I guess it hasn?t been able to obtain the
<use-caller-identity>.
When the container gets around to JaasSecurityManager: doesUserHaveRole()
| SubjectActions.getActiveSubject() returns the subject for the
?unauthenticatedIdentity? and all it?s associated roles. Authentication
definitely works but only because an unauthenticatedIdentity has been supplied.
If I remove it from login-conf.xml, then I can?t log in to my app, likewise if
I remove critical roles. I?m sure I shouldn?t have to delve so deep in to the
bowels of JBOSS to get this configured right?
I have read Chapter 8 and every post that seemed vaguely related to this issue
(of which there are many!). But call me thick, it seems 2 steps forward 1 step
back.
Any and all pointers gratefully accepted.
Thx
Mike
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3879001#3879001
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3879001
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
