[jboss-user] [Security & JAAS/JBoss] - Problem accessing EJB unchecked method from a servlet (with

Tue, 18 Jul 2006 17:02:26 -0700 

Hello, I'm stuck at the following problem. I have one EJB module and two web 
apps inside a single ear. Relevant parts of configuration files follow:

>From jboss.xml:

  | <security-domain>java:/jaas/db_store</security-domain>
  | 

>From ejb-jar.xml:

  |         <method-permission>
  |             <unchecked/>
  |             <method>
  |                 <ejb-name>ModerEJB</ejb-name>
  |                 <method-intf>Home</method-intf>
  |                 <method-name>create</method-name>
  |             </method>
  |         </method-permission>
  | 

>From jboss-web.xml #1:

  | <security-domain>java:/jaas/db_store</security-domain>
  | 

>From jboss-web.xml #2:

  | <security-domain>java:/jaas/other</security-domain>
  | 

>From login-config.xml:

  |     <application-policy name="db_store">
  |       <authentication>
  | 
  |         <login-module 
code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
  |           <module-option name="dsJndiName">
  |             DS/Standard
  |           </module-option>
  |           <module-option name="principalsQuery">
  |             SELECT usr_password FROM users WHERE usr_login = ?
  |           </module-option>
  |           <module-option name="rolesQuery">
  |             SELECT 'CommonUser', 'Roles' FROM users WHERE usr_login = ?
  |           </module-option>
  |           <module-option name="hashAlgorithm">SHA1</module-option>
  |           <module-option name="hashEncoding">hex</module-option>
  |           <module-option name="ignorePasswordCase">true</module-option>
  |           <module-option 
name="unauthenticatedIdentity">nobody</module-option>
  |         </login-module>
  |       </authentication>
  |     </application-policy>
  | 
  |     <application-policy name = "other">
  |        <authentication>
  |           <login-module code = 
"org.jboss.security.auth.spi.UsersRolesLoginModule"
  |              flag = "required">
  |               <module-option 
name="unauthenticatedIdentity">nobody</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 

The bean itself is constructed by a helper (BeanHelper), located inside the ejb 
module - don't know if it makes a difference.

Now, on to the problem. I have a servlet in web app #2, which tries to create a 
bean (by calling an unchecked create() method). Only authorised users have 
access to the servlet (through BASIC authorization, if it matters). When the 
call to create() is made, it fails with the following exception (parts skipped 
for clarity):


  | java.rmi.AccessException: SecurityException; nested exception is:
  |         javax.security.auth.login.FailedLoginException: No matching 
username found in Principals
  |         at 
org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
  |         at 
org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:136)
  | ...
  |         at ru.singlecity.ejb.BeanHelper.getModerBean(BeanHelper.java:216)
  | ...
  | Caused by: javax.security.auth.login.FailedLoginException: No matching 
username found in Principals
  |         at 
org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:152)
  |         at 
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206)
  | ...
  |         at 
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at 
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at 
javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at 
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
  |         at 
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
  |         at 
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at 
org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211)
  |         at 
org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:135)
  |         at 
org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
  |         ... 47 more
  | 

So - what am I doing wrong? The principal is already set (by the web app) and 
access to the method of the bean is set to unchecked...  If the principal 
wasn't passed on to the EJB, it would've caused a different exception (see item 
#1 in the FAQ), but it hadn't. Any help would be greatly appreciated!

With best regards,
Victor Denisov.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958987#3958987

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958987
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to