Hello,
I am able to set up accounts and protect web resources in my application, but
I'm unable to figure out how to protect my EJBs.
Here is what I have done so far:
(1) I created users.properties and roles.properties files, and deployed them to
the ".ear" directory.
(2) I did not create any jboss-web.xml file, so my default security realm ought
to be the one defined in the jboss-service.xml file in the Tomcat directory;
i.e. java:/jaas/other.
(3) I added all of this to my web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Producer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
Website producers
<role-name>Producer</role-name>
</security-role>
So far this does what I want: when I try to access any web resource at or below
/admin, I'm prompted for a login. Entering a name and password from the
users.properties file which has the Producer role lets me in.
Next, I want to assign the same protection to some EJB methods, so I did this:
(1) I created a jboss.xml file and typed this into it:
<security-domain>java:/jaas/other</security-domain>
(2) I deployed the jboss.xml file to my EJB's META-INF directory (same place as
ejb-jar.xml).
(3) I modified my ejb-jar.xml file as follows:
<security-role>
<role-name>Producer</role-name>
</security-role>
<method-permission>
<role-name>Producer</role-name>
<ejb-name>DataServices</ejb-name>
<method-name>*</method-name>
</method-permission>
(4) I added this code to my EJB client application, which runs outside of the
JBoss container:
ht.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jnp.interfaces.NamingContextFactory");
ht.put(Context.PROVIDER_URL, args[0]);
ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
ht.put(Context.SECURITY_PRINCIPAL, username);
ht.put(Context.SECURITY_CREDENTIALS, password);
ht.put(Context.SECURITY_AUTHENTICATION, "simple");
Regardless of what username and password I pass here - valid or invalid - I get
this exception when I try to call the create() method on the EJB's home object:
java.rmi.ServerException: RemoteException occurred in server thread; nested
exception is:
java.rmi.AccessException: SecurityException; nested exception is:
javax.security.auth.login.FailedLoginException: Password
Incorrect/Password Required
It would seem that while JBoss has correctly figured out that some sort of
login is required to access the EJB, it does not recognize the supplied
credentials.
Any advice would be appreciated, thanks.
Frank
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3918716#3918716
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3918716
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
