[jboss-user] [Security & JAAS/JBoss] - 3.2.0 to 4.0.5 causes failure when trying to access secure E

Mon, 22 Jan 2007 11:24:47 -0800 

I upgraded from JBoss3.2.0 to 4.0.5.  I am using FORM based authentication.  I 
have a custom login module that entends DatabaseServerLoginModule.  I am able 
to login to the web application correctly.  All the correct roles are assigned 
to the user.  However, when I access a secured method in one of my EJB's, the 
principal is null.  Here is the error I am receiving:

java.rmi.AccessException: SecurityException; nested exception is: 
java.lang.SecurityException: Insufficient method permissions, principal=null, 
ejbName=IndexingManager, method=create, interface=HOME, requiredRoles=[INDEX], 
principalRoles=[ANONYMOUS, PARTNER]

It gives me the ANONYMOUS and PARTNER roles because these are the roles 
associated with the unauthenticatedIdentity.

Here is my login-config.xml:

    <application-policy name = "myRealm">
  |         <authentication>
  |             <login-module 
code="com.pcarrollnf.appserver.jboss.security.CustomLoginModule" 
flag="required">
  |                 <module-option name = 
"unauthenticatedIdentity">anonymous</module-option>
  |                 <module-option name = 
"dsJndiName">java:/jdbc/myRealm</module-option>
  |                 <module-option name = "principalsQuery">SELECT A.PASSWORD 
FROM USERS A WHERE A.IS_ENABLED = 1 AND A.USER_NAME = ? AND ( A.EXPIRATION_DATE 
IS NULL OR A.EXPIRATION_DATE >= ? )</module-option>
  |                 <module-option name = "rolesQuery">SELECT DISTINCT 
A.USER_NAME, C.ROLE_NAME FROM USER_GROUP A, ROLE_GROUP B, ROLES C WHERE 
A.USER_NAME = ? AND A.GROUP_ID = B.GROUP_ID AND B.ROLE_ID = 
C.ROLE_ID</module-option>
  |             </login-module>
  |         </authentication>
  |     </application-policy>
  | 

I tried adding:
<login-module code = "org.jboss.security.ClientLoginModule" flag = 
"required"></login-module>

as the last login module in the myRealm policy but this did not work.

Here is a snippet from my web.xml

    <login-config>
  |         <auth-method>FORM</auth-method>
  |         <realm-name>DefaultRealm</realm-name>
  |         <form-login-config>
  |             <form-login-page>/login.do</form-login-page>
  |             <form-error-page>/loginError.do</form-error-page>
  |         </form-login-config>
  |     </login-config>
  | 
  |     <security-role>
  |         <role-name>ADMIN</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>CONFIG</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>INDEX</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>PUBLISH</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>USER</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>PARTNER</role-name>
  |     </security-role>
  |     <security-role>
  |         <role-name>ANONYMOUS</role-name>
  |     </security-role>

Here is my ejb-jar.xml:

<ejb-jar>
  |     <enterprise-beans>
  | 
  |         <session>
  |             <ejb-name>IndexingManager</ejb-name>
  |             <home>com.pcarrollnf.indexing.api.IndexingManagerHome</home>
  |             <remote>com.pcarrollnf.indexing.api.IndexingManager</remote>
  |             
<ejb-class>com.pcarrollnf.indexing.ejb.IndexingManagerBean</ejb-class>
  |             <session-type>Stateless</session-type>
  |             <transaction-type>Container</transaction-type>
  |             <ejb-local-ref>
  |                 <ejb-ref-name>ejb/DocumentSchemaAttribute</ejb-ref-name>
  |                 <ejb-ref-type>Entity</ejb-ref-type>
  |                 
<local-home>com.pcarrollnf.schema.ejb.DocumentLocalHome</local-home>
  |                 <local>com.digitalpaper.pcarrollnf.ejb.DocumentLocal</local>
  |                 <ejb-link>Document</ejb-link>
  |             </ejb-local-ref>
  |             
  |             <security-identity><use-caller-identity/></security-identity>
  |         </session>
  | 
  |     <assembly-descriptor>
  |         <security-role>
  |             <role-name>INDEX</role-name>
  |         </security-role>
  | 
  |         <method-permission>
  |             <role-name>INDEX</role-name>
  |             <method>
  |                 <ejb-name>IndexingManager</ejb-name>
  |                 <method-name>*</method-name>
  |             </method>
  |         </method-permission>
  | 
  |         <container-transaction>
  |             <method>
  |                 <ejb-name>IndexingManager</ejb-name>
  |                 <method-name>*</method-name>
  |             </method>
  |             <trans-attribute>Required</trans-attribute>
  |         </container-transaction>
  |     </assembly-descriptor>
  | </ejb-jar>

Here is my jboss.xml:

<jboss>
  |     <security-domain>java:/jaas/myRealm</security-domain>
  |     <enterprise-beans>
  |         <session>
  |             <ejb-name>IndexingManager</ejb-name>
  |             <jndi-name>indexing/IndexingManager</jndi-name>
  |             <configuration-name>Standard Stateless 
SessionBean</configuration-name>
  |         </session>
  |     </enterprise-beans>
  |     <container-configurations>
  |         <container-configuration extends="Standard CMP 2.x EntityBean">
  |             <container-name>CMP 2.x and Cache</container-name>
  |             <commit-option>D</commit-option>
  |             <optiond-refresh-rate>300</optiond-refresh-rate>
  |         </container-configuration>
  |     </container-configurations>
  | </jboss>

Any help would be appreciated.  If you need me to post more information, please 
let me know.  Thanks.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4004955#4004955

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4004955
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to