My application security runs great in Tomcat but when I run it in JBoss it
doesn't work.
I have deployed a DynamicLoginConfig MBean to specify the location of my custom
login-config.xml:
jboss-service.xml:
<server>
|
| <!-- JG:
| Added this mbean so that jboss will look first in META-INF for the
login config before looking in the config directory
| of the jboss root-->
| <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
| name="jboss:service=DynamicLoginConfig">
| <attribute
name="AuthConfig">META-INF/jboss-login-config.xml</attribute>
| <!-- The service which supports dynamic processing of login-config.xml
| configurations.
| -->
| <depends optional-attribute-name="LoginConfigService">
| jboss.security:service=XMLLoginConfig
| </depends>
| <!-- Optionally specify the security mgr service to use when
| this service is stopped to flush the auth caches of the domains
| registered by this service.
| -->
| <depends optional-attribute-name="SecurityManagerService">
| jboss.security:service=JaasSecurityManager
| </depends>
| </mbean>
| </server>
Where jboss-login-config.xml looks like this:
<policy>
|
| <application-policy name="CustomerAdmin">
| <authentication>
| <login-module
code="com.ftid.custadmin.security.HibernateLoginModule" flag="required">
| <module-option
name="policy">META-INF/ClientAdmin.policy</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| </policy>
This works great, when logging into my application on JBoss my custom
HibernateLoginModule class is called. However, I have a JAAS Policy file that
looks like this..
|
| grant Principal com.ftid.custadmin.security.ClientAdminPrincipal
"view_customer" {
| permission com.ftid.custadmin.security.ViewIdPermission
"/client/clientsView.*";
| permission com.ftid.custadmin.security.ViewIdPermission
"/client/clientLandingPage.*";
| };
|
| grant Principal com.ftid.custadmin.security.ClientAdminPrincipal
"view_update_customer" {
| permission com.ftid.custadmin.security.ViewIdPermission
"/client/clientEdit.*";
| };
|
| etc.
|
How do I get the JBoss SecurityManager to read this JAAS policy file??
In tomcat I simply had to do the following which works very well:
| System.setProperty("java.security.auth.login.config",
sc.getRealPath("/WEB-INF/jaas.properties"));
| System.setProperty("java.security.auth.policy",
sc.getRealPath("/WEB-INF/ClientAdmin.policy"));
| SecurityManager sm = System.getSecurityManager();
| .
| .
| .
| Permission perm = new ViewIdPermission("/client/clientEdit");
| sm.checkPermission(perm);
|
When this code runs in JBoss an AccessControlException is thrown. It seems
that JBoss creates it's own SecurityManager that hasn't been set up using my
Policy file.
HOW DO I GET JBOSS TO READ MY POLICY FILE ?? Please Help!!
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4111987#4111987
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4111987
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
