It's not than I'm not going to authenticate user at web layer. Of course I will
authenticate him. But I can forget something and leave a possibility for
user/hacker to call my business method without authentication. That would be
really bad. So now I'm trying to test this declarative permission setting and
it doesn't work for me =(
After debugging I came to the same conclusion: anauthenticated user is assigned
principal 'nobody'. But he isn't in role XUser, so theoretically he shouldn't
be able to call method getInfo ...
Here is listing with tracing turned on:
10:05:46,792 DEBUG [UserAjax] Setting Info ...
| 10:05:46,792 TRACE [SecurityAssociation] getPrincipal, principal=null
| 10:05:46,792 TRACE [LogInterceptor] Start method=create
| 10:05:46,792 TRACE [db_store] Begin isValid, principal:null, cache info:
null
| 10:05:46,792 TRACE [db_store] defaultLogin, principal=null
| 10:05:46,792 TRACE [XMLLoginConfigImpl] Begin
getAppConfigurationEntry(db_store), size=9
| 10:05:46,792 TRACE [XMLLoginConfigImpl] End
getAppConfigurationEntry(db_store), authInfo=AppConfigurationEntry[]:
| [0]
| LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
| ControlFlag: LoginModuleControlFlag: required
| Options:name=hashEncoding, value=hex
| name=rolesQuery, value=SELECT 'XUser', 'Roles' FROM users WHERE usr_login =
?
| name=principalsQuery, value=SELECT usr_password FROM users WHERE usr_login
= ?
| name=unauthenticatedIdentity, value=nobody
| name=hashAlgorithm, value=SHA1
| name=ignorePasswordCase, value=true
| name=dsJndiName, value=DS/Standard
|
| 10:05:46,792 TRACE [DatabaseServerLoginModule] initialize, [EMAIL PROTECTED]
| 10:05:46,792 TRACE [DatabaseServerLoginModule] Saw
unauthenticatedIdentity=nobody
| 10:05:46,792 TRACE [DatabaseServerLoginModule] Password hashing activated:
algorithm = SHA1, encoding = hex, charset = {default}, callback = null,
storeCallback = null
| 10:05:46,792 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule,
dsJndiName=DS/Standard
| 10:05:46,792 TRACE [DatabaseServerLoginModule] principalsQuery=SELECT
usr_password FROM users WHERE usr_login = ?
| 10:05:46,792 TRACE [DatabaseServerLoginModule] rolesQuery=SELECT 'XUser',
'Roles' FROM users WHERE usr_login = ?
| 10:05:46,792 TRACE [DatabaseServerLoginModule] suspendResume=true
| 10:05:46,792 TRACE [DatabaseServerLoginModule] login
| 10:05:46,792 TRACE [DatabaseServerLoginModule] Authenticating as
unauthenticatedIdentity=nobody
| 10:05:46,792 TRACE [DatabaseServerLoginModule] User 'nobody' authenticated,
loginOk=true
| 10:05:46,792 TRACE [DatabaseServerLoginModule] commit, loginOk=true
| 10:05:46,792 TRACE [db_store] defaultLogin, [EMAIL PROTECTED],
subject=Subject(18178978)[EMAIL PROTECTED](nobody)[EMAIL
PROTECTED](Roles(members))
| 10:05:46,792 TRACE [db_store] updateCache,
inputSubject=Subject(18178978)[EMAIL PROTECTED](nobody)[EMAIL
PROTECTED](Roles(members)), cacheSubject=Subject(20991057)[EMAIL
PROTECTED](nobody)[EMAIL PROTECTED](Roles(members))
| 10:05:46,792 TRACE [db_store] Inserted cache info: [EMAIL
PROTECTED](20991057)[EMAIL PROTECTED](nobody)[EMAIL
PROTECTED](Roles(members)),credential.class=null,expirationTime=1151044507027]
| 10:05:46,792 TRACE [db_store] End isValid, true
| 10:05:46,792 TRACE [SecurityAssociation] pushSubjectContext,
subject=Subject:
| Principal: nobody
| Principal: Roles(members)
| , [EMAIL PROTECTED],subject=12450318}
| 10:05:46,792 TRACE [SecurityInterceptor] Authenticated principal=null
| 10:05:46,792 TRACE [SecurityInterceptor] method=public abstract
ru.singlecity.ejb.main.user.User ru.singlecity.ejb.main.user.UserHome.create()
throws java.rmi.RemoteException,javax.ejb.CreateException, interface=HOME,
requiredRoles=[<ANYBODY>]
| 10:05:46,792 TRACE [SecurityAssociation] pushRunAsIdentity, runAs=null
| 10:05:46,792 TRACE [TxInterceptorCMT] Current transaction in MI is null
| 10:05:46,792 TRACE [TxInterceptorCMT] TX_REQUIRED for create timeout=0
| 10:05:46,792 TRACE [TxInterceptorCMT] Thread came in with tx null
| 10:05:46,792 TRACE [TxInterceptorCMT] Starting new tx
TransactionImpl:XidImpl[FormatId=257, GlobalId=RUMATA/21, BranchQual=,
localId=21]
| 10:05:46,807 TRACE [StatelessSessionInstancePool] Get instance [EMAIL
PROTECTED] ru.singlecity.ejb.main.user.UserBean
| 10:05:46,823 TRACE [StatelessSessionInstancePool] 0/100 Free
instance:[EMAIL PROTECTED] ru.singlecity.ejb.main.user.UserBean
| 10:05:46,823 TRACE [TxInterceptorCMT] TxInterceptorCMT: In finally
| 10:05:46,823 TRACE [SecurityAssociation] popRunAsIdentity, runAs=null
| 10:05:46,823 TRACE [SecurityAssociation] popSubjectContext, [EMAIL
PROTECTED],subject=12450318}
| 10:05:46,823 TRACE [LogInterceptor] End method=create
| 10:05:46,823 TRACE [SecurityAssociation] getPrincipal, principal=null
| 10:05:46,823 TRACE [LogInterceptor] Start method=getInfo
| 10:05:46,823 TRACE [db_store] Begin isValid, principal:null, cache info:
[EMAIL PROTECTED](20991057)[EMAIL PROTECTED](nobody)[EMAIL
PROTECTED](Roles(members)),credential.class=null,expirationTime=1151044507027]
| 10:05:46,823 TRACE [db_store] Begin validateCache, [EMAIL
PROTECTED](20991057)[EMAIL PROTECTED](nobody)[EMAIL
PROTECTED](Roles(members)),credential.class=null,expirationTime=1151044507027];credential.class=null
| 10:05:46,823 TRACE [db_store] End validateCache, isValid=true
| 10:05:46,823 TRACE [db_store] End isValid, true
| 10:05:46,823 TRACE [SecurityAssociation] pushSubjectContext,
subject=Subject:
| Principal: nobody
| Principal: Roles(members)
| , [EMAIL PROTECTED],subject=23507167}
| 10:05:46,823 TRACE [SecurityInterceptor] Authenticated principal=null
| 10:05:46,823 TRACE [SecurityInterceptor] method=public abstract
ru.singlecity.ejb.common.entity.user.UserInfoEntity
ru.singlecity.ejb.main.user.User.getInfo(long) throws java.rmi.RemoteException,
interface=REMOTE, requiredRoles=[<ANYBODY>]
| 10:05:46,823 TRACE [SecurityAssociation] pushRunAsIdentity, runAs=null
| 10:05:46,823 TRACE [TxInterceptorCMT] Current transaction in MI is null
| 10:05:46,823 TRACE [TxInterceptorCMT] TX_SUPPORTS for getInfo
| 10:05:46,823 TRACE [TxInterceptorCMT] Thread came in with tx null
| 10:05:46,823 TRACE [StatelessSessionInstancePool] Get instance [EMAIL
PROTECTED] ejb.main.user.UserBean
| 10:05:46,823 TRACE [db_store] getPrincipal, cache info: [EMAIL
PROTECTED](20991057)[EMAIL PROTECTED](nobody)[EMAIL
PROTECTED](Roles(members)),credential.class=null,expirationTime=1151044507027]
| 10:05:46,823 ERROR [UserOracleDAO] couldn't find login
| ejb.common.NoSuchLoginException: User with following login not found,
login='nobody'
| at dao.user.UserOracleDAO.getUserIDByLogin(UserOracleDAO.java:1066)
| ......
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3952882#3952882
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3952882
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
