Hey folks, i am really becoming desperate with Jboss + JAAS.
I have a very simple RMI client which connects to a Stateless Session Bean running within a Jboss 4.2. This scenario works perfectly well. Now i want to secure access to my EJB by allowing only authenticated clients to call the EJB's method. Based on the official documentation: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html i started out with the most simple authentication possible using UsersRolesLoginModule as login module: * Create the file users.properties in the ejb-jar subproject under the directory META-INF: admin=secretadminpassword | user=secretuserpassword * Create the file roles.properties in the ejb-jar subproject under the directory META-INF: | admin=adminRole | user=userRole * Add a ejb-jar.xml to the ejb-jar subproject under the directory META-INF: | <ejb-jar> | <assembly-descriptor> | <security-role> | <description>admin: only allowed users</description> | <role-name>adminRole</role-name> | </security-role> | <security-role> | <description>users: the rest</description> | <role-name>userRole</role-name> | </security-role> | <method-permission> | <role-name>admin</role-name> | <method> | <ejb-name>SendCommand</ejb-name> | <method-name>*</method-name> | </method> | </method-permission> | </assembly-descriptor> | </ejb-jar> * Add the file jboss.xml under the directory /$PROJECT-ROOT/META-INF <jboss> | <security-domain>java:/jaas/esf</security-domain> | <enterprise-beans> | <session> | <ejb-name>SendCommand</ejb-name> | <jndi-name>SendCommand</jndi-name> | </session> | </enterprise-beans> | </jboss> * Adjust the file login-config.xml under the directory $JBOSS_HOME/server/$PROFILE/conf/ <application-policy name = "esf"> | <authentication> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> | </authentication> | </application-policy> | So far, so good.... If i rebuild my application and inspect the EAR's content, i see all the expected files there, meaning jboss.xml, user.properties etc.... But: I can still connect with my RMI-client to my EJB even without giving credentials at all! No error messages, no exceptions.... Any ideas what went wrong here? Is there a way to check what Jboss sees as a security domain? P.S.: Jaas may be great due to its modularity, but it is horrible, unbelievably horrible to configure for a Jaas-beginner. This is an utter catastrophy, how long do i have to study Jaas to get a simple authentication working? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4156738#4156738 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4156738 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user