Playing around with roles and my ejb and added the @RolesAllowed("SYSTEM")
annotation. I created my own realms as follows:
| <application-policy name="MyModule">
| <authentication>
|
| <login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
| <module-option name="dsJndiName">java:/MyDS</module-option>
| <module-option name="principalsQuery">SELECT
account.password FROM ACCOUNTS account, PRINCIPALS principal WHERE
principal.name=? and account.id = principal.id</module-option>
|
| <module-option name="rolesQuery">SELECT entry.role, 'Roles'
FROM ROLE_ENTRY entry, PRINCIPALS account WHERE entry.principal = account.id
and account.name=?</module-option>
| </login-module>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">
| <module-option
name="usersProperties">props/my-users.properties</module-option>
| <module-option
name="rolesProperties">props/my-roles.properties</module-option>
| </login-module>
|
| <!-- Client Login module so that the security context can be set
for invoking EJBs -->
| <login-module code = "org.jboss.security.ClientLoginModule" flag =
"required">
| <module-option name="restore-login-identity">true</module-option>
| </login-module>
|
| </authentication>
| </application-policy>
|
|
The ejb is called from the JMX Service using by doing a local jndi lookup and
calling the method. For JMX I only get this to work when I also add the
@SecurityDomain("MyDomain") annotation to the bean.
When I do not do that, it used the jmx-console realm, but even when I copy/past
the above into that realm, the jmx-console is allowed to call the method. When
I look at the security trace, I see that the SYSTEM role is not part of the
credentials (as I was expecting) but the call gets executed anyways. Do I have
to muck around in the tomcat configuration somewhere ?
Output:
| 2007-06-13 16:03:39,352 TRACE
[org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles
GenericPrincipal[system(ADMIN,JBossAdmin,)]
| 2007-06-13 16:03:39,352 TRACE
[org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: JBossAdmin
| 2007-06-13 16:03:39,352 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke,
callerGenericPrincipal[system(ADMIN,JBossAdmin,)]
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
| 2007-06-13 16:03:39,352 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal
info from cache
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
| Principal: system
| Principal: Roles(members:ADMIN,JBossAdmin)
| , [EMAIL PROTECTED],subject=30019131}
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener]
HtmlAdaptor, runAs: null
| 2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener]
HtmlAdaptor, runAs: null
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
getPrincipal, principal=system
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=null, [EMAIL PROTECTED],subject=null}
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
getPrincipal, principal=system
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=null, [EMAIL PROTECTED],subject=null}
| 2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation]
getPrincipal, principal=system
|
|
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4054148#4054148
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4054148
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
