The security-doamin in jboss.xml is valid for all beans it belongs to. If you want to restrict the security to particulary beans separate them in different jars with different jboss.xml.
Annegret -----Urspr�ngliche Nachricht----- Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 21. Januar 2002 17:56 An: [EMAIL PROTECTED] Betreff: [JBoss-user] security problem with Jboss+Tomcat Hi, I'm using JBoss and Tomcat for my web application. I have two stateful session ejbs: InsegnamentiEJB and MatDidEJB. The MatDidEJB is restricted to a security domain, but the other is not. So I did not specify any method permission in the ejb-jar.xml for the first bean, but only for the second one: <assembly-descriptor> <security-role> <role-name>docente</role-name> <assembly-descriptor> <method-permission> <role-name>docente</role-name> <method> <ejb-name>MatDidEJB</ejb-name> <method-name>*</method-name> </method> </method-permission> I want to use the database login module for the authentication of users so I had to change the standard configurations adding the following jboss.xml: <jboss> <security-domain>java:/jaas/modulojdbc</security-domain> </jboss> where modulojdbc is the JNDI name of the authorization configuration in the auth.conf file. Then I have two JSPs: Insegnamenti.jsp and MatDid.jsp. When the user connects to the first he/she doesn't need to be authenticated and can access to the related ejb. On the bottom of the page there is a link to the other jsp and if the user clicks it he/she must authenticate himself/herself with a login form. My web.xml contains the following: <security-constraint> <web-resource-collection> <web-resource-name>area riservata</web-resource-name> <url-pattern>/MatDid.jsp</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>docente</role-name> </auth-constraint> </security-constraint> The problem is that when the user connect to the Insegnamenti.jsp and tries to connect to the InsegnamentiEJB the following exception occurs: javax.servlet.ServletException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception, principal=null; nested exception is: java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception, principal=null It seems that as long as I set the jboss configuration with the jboss.xml, any user that try to access the beans must be authenticated! WHY?! How can I restrict the authentication only to ONE particular ejb? PLEASE HELP!!!!! Thanks in advance bye _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
