Hi,
I'm trying to update an old EJB2-based application to be able to run on JBoss
5.1. Well, everything work except for that I keep getting
java.lang.SecurityException: Authentication exception, principal=null on some
operations.
I have a custom login module, it's right now deployed with the new method but
I've also tried with the old DynamicLoginConfig. When I log in on the web
frontend it looks like this in the log:
22:59:46,100 TRACE [LimeLoginModule] initialize
| 22:59:46,106 TRACE [LimeLoginModule] Security domain: lime
| 22:59:46,109 TRACE [LimeLoginModule] Saw
unauthenticatedIdentity=unauthenticated
| 22:59:46,113 TRACE [LimeLoginModule] login
| 22:59:46,114 TRACE [LimeLoginModule] Trying to authenticate sverker
| 22:59:46,119 DEBUG [AccountServiceBean] AccountServiceBean.ejbCreate()
| 22:59:46,168 INFO [AccountServiceBean]
AccountServiceBean.authenticateAccount("sverker","*******") from null
successfull
| 22:59:46,170 TRACE [LimeLoginModule]
LimeLoginModule.login("sverker","*******") successfull
| 22:59:46,171 TRACE [LimeLoginModule] Assign user to role admin
| 22:59:46,174 TRACE [LimeLoginModule] User 'sverker' authenticated,
loginOk=true
However, on the operations that fails I see this instead:
23:02:05,078 TRACE [UsersRolesLoginModule] initialize
| 23:02:05,083 TRACE [UsersRolesLoginModule] Security domain: other
| 23:02:05,084 TRACE [UsersRolesLoginModule] findResource: null
| 23:02:05,087 ERROR [UsersRolesLoginModule] Failed to load
users/passwords/role files
| java.io.IOException: No properties file: users.properties or defaults:
defaultUsers.properties found
All operations are unchecked, the app handles authorization in other ways. I
can see no difference in ejb-jar.xml on method-permission fields between the
operations that work and those that don't.
I have tested with setting security-domain and unauthenticated-principal in
either jboss-app.xml (in the ear) or jboss.xml (in ejb-jar) + jboss-web.xml or
in all but no change.
How come that for some operations it chooses security-domain other? I see the
same also when calling operations on EJB's from a MBean, how can I set which
security-domain it belongs to and shouldn't it be the ejb's security domain
that matters?
The setting I use in jboss-app and the others are:
<security-domain>java:/jaas/lime</security-domain>
| <unauthenticated-principal>unauthenticated</unauthenticated-principal>
What is this unauthenticated-principal used for, shouldn't that prevent the
exception with principal=null?
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262057#4262057
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4262057
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
