1 Reply Latest reply on Apr 15, 2002 6:52 AM by drcharris

must a user have roles?

drcharris Apr 15, 2002 6:32 AM

We have users authenticating against JBoss using ClientLoginModule on the client side and DatabaseServerLoginModule on the server side. A couple of things materialise when we try to login. (We're using 2.4.3, Win2K)

1. A user can authenticate with just principal/password present in the Principals table, but any method call requires at least one role to be present for that user. We currently have all of our methods flagged as 'unchecked' so we can authenticate but then allow unfettered access to authenticated users, so we don't assign roles to users. This throws an error in DatabaseServerLoginModule.getRoleSets - stack trace follows

javax.security.auth.login.FailedLoginException: No matching username found in Roles
at org.jboss.security.auth.spi.DatabaseServerLoginModule.getRoleSets(DatabaseServerLoginModule.java:151)
at org.jboss.security.auth.spi.AbstractServerLoginModule.commit(AbstractServerLoginModule.java:123)
at java.lang.reflect.Method.invoke(Native Method)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:595)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
at javax.security.auth.login.LoginContext.login(LoginContext.java:450)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:396)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:363)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:164)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:92)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:268)
at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContainerInvoker.java:372)
at java.lang.reflect.Method.invoke(Native Method)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:236)
at sun.rmi.transport.Transport$1.run(Transport.java:147)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:143)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:479)

If we add a role to the Roles table, to get round this problem, then we get another error indicating that the user doesn't have the role which seems to be a 'dummy' principal for unchecked exceptions. This happens in SecurityInterceptor, the last line of checkSecurityAssociation(). Presumably this is not added automatically to authenticated users' list of roles?

So the question is - does a user *have* to have a role? Is it within spec (and I know 2.4.3 falls between two versions of the spec on this) to have users authenticated, have all methods unchecked, and therefore only allow authenticated users to call any method?

1. Re: must a user have roles?

drcharris Apr 15, 2002 6:52 AM (in response to drcharris)

OK a slight mistake on my part - the dummy role we added had to have a RoleGroup of 'Roles', which prevents the second error. The main question still stands though - does a user have to have a role at all, if there is no role-based activity in the application?
Actions