More help needed
mmills Oct 8, 2001 9:07 AMI seem to have figured out basic authentication.
I can request a "secure" page and get a login box. It even authenticates against a database. The page I request then makes calls to an EJB (see User code below) which work.
The problem comes when I try to make a link from that page to a new one that uses a different EJB (see RoleManager below). The calls now fail with InsufficientPermissions because the principal is null.
How do I keep the principal available so all calls to EJBs work?
My environment is:
jboss 2.4.1/tomcat 3.2.3
auth.conf
---------
staffapp {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/Staff"
principalsQuery="select password from systemusers where userid=?"
rolesQuery="select r.description, r.rolegroup from role r, userroles ur where ur.userid=? and ur.roleid = r.id"
unauthenticatedIdentity=nobody
;
};
client-login {
org.jboss.security.ClientLoginModule required
multi-threaded=true
password-stacking=tryFirstPass
;
};
web.xml
-------
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Staffapp</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<url-pattern>/htdocs/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
<role-name>Echo</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>staffapp</realm-name>
</login-config>
jboss-web.xml
-------------
<jboss-web>
<security-domain>java:/jaas/staffapp</security-domain>
</jboss-web>
User-ejb-jar.xml
----------------
<ejb-jar>
<enterprise-beans>
<ejb-name>User</ejb-name>
</enterprise-beans>
<assembly-descriptor>
<method-permission>
<ejb-name>User</ejb-name>
<method-name>*</method-name>
</method-permission>
</assembly-descriptor>
</ejb-jar>
User-jboss.xml
<security-domain>java:/jaas/staffapp</security-domain>
<enterprise-beans>
<ejb-name>User</ejb-name>
<jndi-name>framework/User</jndi-name>
</enterprise-beans>
RoleManager-ejb-jar.xml
-----------------------
<ejb-jar>
<enterprise-beans>
<ejb-name>RoleManager</ejb-name>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</enterprise-beans>
<assembly-descriptor>
<method-permission>
<ejb-name>RoleManager</ejb-name>
<method-name>*</method-name>
</method-permission>
</assembly-descriptor>
</ejb-jar>
RoleManager-jboss.xml
---------------------
<security-domain>java:/jaas/staffapp</security-domain>
<enterprise-beans>
<ejb-name>RoleManager</ejb-name>
<jndi-name>framework/RoleManager</jndi-name>
</enterprise-beans>