3 Replies Latest reply on Oct 18, 2001 12:42 AM by starksm64

Accessing secure beans from unsecure JSP

mmills Oct 15, 2001 10:23 AM

I have some unsecure JSPs that I need to display initially before the user has logged in. They need to access some EJBs that are secured, but the methods needed are not (method-permission unchecked).

When I call this, I get the "principal=null" authorization exception.

Is there any way to allow unauthenticated users to access unrestricted methods of a secured EJB?

I am using FORM base authentication with a DatabaseServerLoginModule for both the web and EJB tiers. I am running JBoss 2.4.3 with Tomcat 3.2.3.

Thanks,
Maury

1. Re: Accessing secure beans from unsecure JSP

ko5tik Oct 15, 2001 11:15 AM (in response to mmills)

AFAIK, null principal is no longer problem of barfing.
I use special role "nobody" for this puprose,
and login module which gives role "nobody" for
every user authenticated or not.

BTW, some login modules have parameteer which allows assigment of certain role to unauthenticated users.

AFAIK, "unchecked" permission exists for EJB2.0 only.
Actions
2. Re: Accessing secure beans from unsecure JSP

mmills Oct 16, 2001 10:48 AM (in response to mmills)

Thanks for your reply, however I am getting the principal=null exception.

Has this been fixed in a newer release of JBoss? I am using 2.4.3.

Did you create a new login module or use an existing one? When you say "some login modules have parameter..." which ones and how is that used?
Actions
3. Re: Accessing secure beans from unsecure JSP

starksm64 Oct 18, 2001 12:42 AM (in response to mmills)

Use the unauthenticatedIdentity option to set what
principal name user's without login credentials will
be mapped to:

login-config {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/DefaultDS"
principalsQuery="select Password from Principals where PrincipalID=?"
rolesQuery="select Role, RoleGroup from Roles where PrincipalID=?"
unauthenticatedIdentity=nobody
;
};
Actions

Go to original post