I'm working with JBoss 2.4.4 and trying to use this LoginModule implementation in the auth.conf as a way to mark certain beans with a role. In my configuration file, I have an entry like this:
restricted-bean {
org.jboss.security.auth.spi.IdentityLoginModule required principal=restricted-bean roles=RESTRICTED;
};
Then I deploy a bunch of stateless session beans, each of which is configured to run-as RESTRICTED. I've included a jboss.xml file into each ear that declares a java:/jaas/restricted-bean security-domain, and followed all the instructions (I think). For now, the respective ejb-jar.xmls give the RESTRICTED role permission to invoke all methods (*) on each session bean. The beans deploy just fine, and invoke fine too.
Except when one of these beans invokes another, I get the following situation: when the invoked bean uses its EJBContext instance to check caller properties, getCallerPrincipal() returns "restricted-bean" as it should, but isCallerInRole( "RESTRICTED" ) returns false.
I've looked into the source code for org.jboss.security.auth.spi.IdentityLoginModule and I don't see any reason why the role doesn't get registered. Is there some problem with the way this login module handles its "roles" option? Are those roles not the same thing as checked by isCallerInRole()? Is there some sort of a catch that I should be aware of? Am I just completely missing the point?
Thanks in advance for any ideas.
-Boris
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you.
