2 Replies Latest reply on Nov 14, 2002 5:56 AM by super4712

    java.lang.SecurityException: Authentication exception, princ

    dw814

      I have two EJBs, one that is secure, and another that is not. I am using the non-secure one as a facade to the secured one. I have configured my jboss.xml to be the following:


      <unauthenticated-principal>unsecureClient</unauthenticated-principal>

      <enterprise-beans>

      <ejb-name>SecuredEJB</ejb-name>
      <configuration-name>Secure Stateless SessionBean</configuration-name>

      </enterprise-beans>

      <container-configurations>
      <container-configuration extends="Standard Stateless SessionBean">
      <container-name>Secure Stateless SessionBean</container-name>
      <security-domain>java:/jaas/myDomain</security-domain>
      </container-configuration>
      </container-configurations>



      My non-secured EJB does not require a login, and I have it configured (in ejb-jar.xml) so that it will "run-as" an administrator role that the SecuredEJB will allow access to.

      <ejb-jar>
      <enterprise-beans>
      ...

      <ejb-name>SecuredEJB</ejb-name>
      SecuredEJBHome
      SecuredEJB
      <ejb-class>SecuredEJBBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <security-role-ref>
      <role-name>AdministratorCaller</role-name>
      <role-link>Administrator</role-link>
      </security-role-ref>



      <ejb-name>NonSecuredEJB</ejb-name>
      NonSecuredEJBHome
      NonSecuredEJB
      <ejb-class>NonSecuredEJBBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <ejb-ref>
      <ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
      <ejb-ref-type>Session</ejb-ref-type>
      SecuredEJBHome
      SecuredEJB
      <ejb-link>SecuredEJB</ejb-link>
      </ejb-ref>
      <security-identity>
      <run-as>
      <role-name>Administrator</role-name>
      </run-as>
      </security-identity>

      ...
      <enterprise-beans>
      <assembly-descriptor>
      <method-permission>
      <role-name>Administrator</role-name>

      <ejb-name>SecuredEJB</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      </assembly-descriptor>
      ...
      </ejb-jar>

      Even though, I don't log into the non-secured EJB, it has a default "unsecureClient" principal associated with the invocation. But when my unsecured EJB tries to get a remote stub for the secured EJB, the SecurityInterceptor throws a SecurityException, stating that the principal is "null." Does this mean that my unsecured EJB must always log into the secured EJB, even though it has a default principle and its role as an "Administrator" is already set?

      thanks for your help,

      -david

        • 1. Re: java.lang.SecurityException: Authentication exception, p
          dw814

          I got it working. But I am not sure how I did it. I hope someone out there in the JBoss community is able to enlighten me. I added the following to "login-config.xml":

          <application-policy name = "myDomain">

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
          <module-option name = "unauthenticatedIdentity">nobody</module-option>
          </login-module>

          </application-policy>

          The only explanation I've found is a comment in the xml file:

          "The unauthenticatedIdentity property defines the name of the principal that will be used when a null username and password are presented as is the case for an unuathenticated web client or MDB. If you want to allow such users to be authenticated add the property, e.g., unauthenticatedIdentity='nobody' "

          Is there a file I can include in my EJB jar file that will override the default/login-config.xml, so I don't have to modify the one under the default directory?

          thanks,

          • 2. Re: Authentication exception, principal=null, LDAP?
            super4712

            Well that works with the UsersRolesLoginModule, but
            how can I do this with the LdapLoginModule?

            Hans