[JBoss-user] [Security & JAAS/JBoss] - EJB security issue with remote client

Thu, 05 Jan 2006 13:32:04 -0800 

I'm trying to set up a security restriction on an EJB's methods, but I'm 
running into a couple of confusing problems.

The first problem is that my client is able to connect to the server and call 
the EJB methods freely, regardless of what kind of security I try to assign to 
the methods; for example:

<security-role>
        <role-name>DataImporter</role-name>
</security-role>

<method-permission>
        <role-name>DataImporter</role-name>
        
                <ejb-name>DataServices</ejb-name>
                <method-name>*</method-name>
        
</method-permission>

The second problem is that my client can connect to JBoss, get a reference to 
this EJB and call its methods without providing any authentication at all; or 
even if it provides completely bogus authentication:

Hashtable ht = new Hashtable();
ht.put(Context.INITIAL_CONTEXT_FACTORY, 
"org.jnp.interfaces.NamingContextFactory");
ht.put(Context.PROVIDER_URL, args[0]);
ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
ht.put(Context.SECURITY_PRINCIPAL, "garbage");
ht.put(Context.SECURITY_CREDENTIALS, "moregarbage");
        
DataServicesHome home = 
            (DataServicesHome) (new 
InitialContext(ht)).lookup(DataServicesHome.JNDI_NAME);
dataServices = home.create();
dataServices.addOrUpdateCategory(null);

I don't understand why this code is allowed to even connect to JBoss at all, 
let alone execute a security-protected method. (It runs with no exception).

The third problem is that while I am aware that the role name I define in my 
ejb-jar.xml file is not the same as the role names defined in my 
roles.properties file, I have not found any information as to how to create an 
association between the two.

Thanks for your help.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3915946#3915946

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3915946


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to