java.lang.SecurityException: Authentication exception, princ
dw814 Nov 6, 2002 12:32 PMI have two EJBs, one that is secure, and another that is not. I am using the non-secure one as a facade to the secured one. I have configured my jboss.xml to be the following:
<unauthenticated-principal>unsecureClient</unauthenticated-principal>
<enterprise-beans>
<ejb-name>SecuredEJB</ejb-name>
<configuration-name>Secure Stateless SessionBean</configuration-name>
</enterprise-beans>
<container-configurations>
<container-configuration extends="Standard Stateless SessionBean">
<container-name>Secure Stateless SessionBean</container-name>
<security-domain>java:/jaas/myDomain</security-domain>
</container-configuration>
</container-configurations>
My non-secured EJB does not require a login, and I have it configured (in ejb-jar.xml) so that it will "run-as" an administrator role that the SecuredEJB will allow access to.
<ejb-jar>
<enterprise-beans>
...
<ejb-name>SecuredEJB</ejb-name>
SecuredEJBHome
SecuredEJB
<ejb-class>SecuredEJBBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>AdministratorCaller</role-name>
<role-link>Administrator</role-link>
</security-role-ref>
<ejb-name>NonSecuredEJB</ejb-name>
NonSecuredEJBHome
NonSecuredEJB
<ejb-class>NonSecuredEJBBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<ejb-ref>
<ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
SecuredEJBHome
SecuredEJB
<ejb-link>SecuredEJB</ejb-link>
</ejb-ref>
<security-identity>
<run-as>
<role-name>Administrator</role-name>
</run-as>
</security-identity>
...
<enterprise-beans>
<assembly-descriptor>
<method-permission>
<role-name>Administrator</role-name>
<ejb-name>SecuredEJB</ejb-name>
<method-name>*</method-name>
</method-permission>
</assembly-descriptor>
...
</ejb-jar>
Even though, I don't log into the non-secured EJB, it has a default "unsecureClient" principal associated with the invocation. But when my unsecured EJB tries to get a remote stub for the secured EJB, the SecurityInterceptor throws a SecurityException, stating that the principal is "null." Does this mean that my unsecured EJB must always log into the secured EJB, even though it has a default principle and its role as an "Administrator" is already set?
thanks for your help,
-david