Well I can't see the stacktrace of the exception, 'cause I don't see any exception message, but only the page on the browser with the "HTTP Status 403 - Access to the requested resource has been denied" message.
Anyway, I'm using Jboss 2.4.3-Tomcat 4.0 and it is told that this release is buggy about security, so I think I'll try my web app with Jboss 2.4.3-Tomcat 3.2.3 Thank you very much for your help, Annegret, you're very kind. >From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> >To: "'Andrea Cervellati'" <[EMAIL PROTECTED]> >Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >Date: Tue, 22 Jan 2002 15:46:04 +0100 >MIME-Version: 1.0 >Content-Transfer-Encoding: 8bit >X-MIME-Autoconverted: from quoted-printable to 8bit by sparc20.ing.unimo.it id PAA11528 > >Hello Andrea, > >I don't know how to solve your strange problem. >What I can say: > >the server output > [Default] User 'leonardi' authenticated. >shows that the user is recognized and the password is correct, >it says nothing about access rights. >The access rights are checked during the first access to a secured bean. > >Which exception exactly occurs when the login fails ? >Can you post the StackTrace ? > >Annegret > >P.S: Please post also to the list not only to me ;-) > >-----Urspr�ngliche Nachricht----- >Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] >Gesendet: Dienstag, 22. Januar 2002 14:48 >An: [EMAIL PROTECTED] >Betreff: RE: [JBoss-user] security problem with Jboss+Tomcat > > >Thank you very much for the advice. > >I separated the ejbs into two different jar files and I fixed the problem. > >Anyway I have another problem. > >When I start up the server, the first user that tries to access the >protected >resources gets the login failure even if the credentials are right. The >strange >thing is that the server seems to recognize the user 'cause it prints the >following: > >[EmbeddedCatalinaServiceSX] jsp: init >[Default] User 'leonardi' authenticated. > >Another strange thing is that if the same user tries to access the same >resource >again, the login goes well. > >This happens not only with the user 'leonardi' but with any other user that >is >the first after a start up operation. > >I'm using a database login module and I have the configuration bound under >the >JNDI name 'java:/jaas/modulojdbc'. When the server is deploying the app I >can >read the message: > >[Container factory] Deploying MatDidEJB >[Default] lookup securityDomain manager name: java:/jaas/modulojdbc >[JaasSecurityManagerService] Created >securityMgr=org.jboss.security.plugins.JaasSecurityManager@4cd580 >[JaasSecurityManagerService] setCachePolicy, c=null >[JaasSecurityManagerService] Added modulojdbc, >org.jboss.security.plugins.JaasSecurityManager@4cd580 to map > >so it seems everything is ok! > >So what should I do? > >Thanks again > > > >>From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] >>Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >>MIME-Version: 1.0 >>X-BeenThere: [EMAIL PROTECTED] >>X-Mailman-Version: 2.0.5 >>List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >>List-Post: <mailto:[EMAIL PROTECTED]> >>List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, ><mailto:[EMAIL PROTECTED]?subject=subscribe> >>List-Id: The JBoss User main mailing list ><jboss-user.lists.sourceforge.net> >>List-Unsubscribe: ><https://lists.sourceforge.net/lists/listinfo/jboss-user>, ><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >>List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=jboss-user> >>X-Original-Date: Tue, 22 Jan 2002 09:39:08 +0100 >>Date: Tue, 22 Jan 2002 09:39:08 +0100 >>Content-Transfer-Encoding: 8bit >>X-MIME-Autoconverted: from quoted-printable to 8bit by sparc20.ing.unimo.it >id >KAA06826 >> >>The security-doamin in jboss.xml is valid for all beans it belongs to. If >>you want to restrict the security to particulary beans separate them in >>different jars with different jboss.xml. >> >>Annegret >> >>-----Urspr�ngliche Nachricht----- >>Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] >>Gesendet: Montag, 21. Januar 2002 17:56 >>An: [EMAIL PROTECTED] >>Betreff: [JBoss-user] security problem with Jboss+Tomcat >> >> >>Hi, >> >> I'm using JBoss and Tomcat for my web application. >> >> I have two stateful session ejbs: InsegnamentiEJB and MatDidEJB. >> >> The MatDidEJB is restricted to a security domain, but the other is not. >> So I did not specify any method permission in the ejb-jar.xml for the >first >> >> bean, but only for the second one: >> >> <assembly-descriptor> >> <security-role> >> <role-name>docente</role-name> >> <assembly-descriptor> >> >> <method-permission> >> <role-name>docente</role-name> >> <method> >> <ejb-name>MatDidEJB</ejb-name> >> <method-name>*</method-name> >> </method> >> </method-permission> >> >> I want to use the database login module for the authentication of users so >>I >>had >> to change the standard configurations adding the following jboss.xml: >> >> <jboss> <security-domain>java:/jaas/modulojdbc</security-domain> >> </jboss> >> >> where modulojdbc is the JNDI name of the authorization configuration in >the >> >> auth.conf file. >> >> Then I have two JSPs: Insegnamenti.jsp and MatDid.jsp. >> >> When the user connects to the first he/she doesn't need to be >authenticated >>and >> can access to the related ejb. >> On the bottom of the page there is a link to the other jsp and if the user > >> clicks it he/she must authenticate himself/herself with a login form. >> >> My web.xml contains the following: >> >> <security-constraint> >> >> <web-resource-collection> >> <web-resource-name>area riservata</web-resource-name> >> <url-pattern>/MatDid.jsp</url-pattern> >> <http-method>DELETE</http-method> >> <http-method>GET</http-method> >> <http-method>POST</http-method> >> <http-method>PUT</http-method> >> </web-resource-collection> >> >> <auth-constraint> >> <role-name>docente</role-name> >> </auth-constraint> >> >> </security-constraint> >> >> >> The problem is that when the user connect to the Insegnamenti.jsp and >tries >>to >> connect to the InsegnamentiEJB the following exception occurs: >> >> javax.servlet.ServletException: checkSecurityAssociation; >> nested exception is: >> java.lang.SecurityException: Authentication exception, >> principal=null; nested exception is: >> java.rmi.RemoteException: checkSecurityAssociation; nested >> exception is: >> java.lang.SecurityException: Authentication exception, >> principal=null >> >> It seems that as long as I set the jboss configuration with the jboss.xml, >>any >> user that try to access the beans must be authenticated! WHY?! >> >> How can I restrict the authentication only to ONE particular ejb? >> >> PLEASE HELP!!!!! >> >> Thanks in advance >> >> bye >> >> >>_______________________________________________ >>JBoss-user mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/jboss-user >> >>_______________________________________________ >>JBoss-user mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
