7 Replies Latest reply on Jan 29, 2003 5:38 PM by aweissman

    Method Level Permissions?

    aweissman

      I am trying to do some basic proof of concepets to become more acquianted with J2EE security. I created a simple bean and wrote the DD to restrict an EJB remote interface method helloWorld() to the defined role of 'Developer'. However, JBoss seems to let anyone execute this method. Am I doing something wrong?

      I assume that the calling code is not in the 'Developer' role because I have not implemented any roles in my calling code. How can I programitcally declare the role that my client code is using?

      partial ejb-jar.xml:

      <assembly-descriptor >
      <security-role>
      description not supported yet by ejbdoclet
      <role-name>Developers</role-name>
      </security-role>

      <method-permission >
      description not supported yet by ejbdoclet
      <role-name>Developers</role-name>

      <![CDATA[]]>
      <ejb-name>TestSession</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>helloWorld</method-name>
      <method-params>
      </method-params>

      </method-permission>

      <!-- finder permissions -->

      <!-- transactions -->

      <!-- finder transactions -->
      </assembly-descriptor>

      Thanks,
      Alan

        • 1. Re: Method Level Permissions?

          You don't declare the roles on the client, instead you provide a user name and password (via SecurityAssociation or JAAS ClientLoginModule login) which are sent to the server and then mapped to a configured role.

          Modifying ejb-jar.xml is not enough to setup security. You will also need to declare the security domain for your bean in the jboss.xml descriptor (see DTD). In addition you need to configure this domain in the server/default/login-config.xml file with a JAAS login module (database, file, LDAP, etc. based security) and then populate the target with your user names, passwords and role mapping (by for example inserting the required information into database table).

          HTH

          • 2. Re: Method Level Permissions?
            aweissman

            Thanks Juha!

            I inserted the security domain reference in my DD, and I already had my login-config.xml going (its what I'm trying to test!) and I got the following exception from jboss when it attempted to deploy the EJB:

            10:11:53,240 INFO [EjbModule] Deploying TestSession
            10:11:53,272 ERROR [EjbModule] error adding container to app.
            org.jboss.deployment.DeploymentException: Could not find the security-domain specified for this container, name=SunOneDirectory; - nested throwable: (javax.naming.NameNotFoundException: SunOneDirectory not bound)
            at org.jboss.ejb.EjbModule.initializeContainer(EjbModule.java:748)
            at org.jboss.ejb.EjbModule.createStatelessSessionContainer(EjbModule.java:583)
            at org.jboss.ejb.EjbModule.createContainer(EjbModule.java:538)
            at org.jboss.ejb.EjbModule.createService(EjbModule.java:363)
            at org.jboss.system.ServiceMBeanSupport.create(ServiceMBeanSupport.java:136)...
            (let me know if you need to see more)

            Can you see any issues with my login-config.xml?

            thanks,
            Alan


            login-config.xml:
            <?xml version="1.0"?>
            <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN"
            "http://www.jboss.org/j2ee/dtd/security_config.dtd">

            <application-policy name="SunOneDirectory">

            <login-module flag="required" code="org.jboss.security.auth.spi.LdapLoginModule">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://localhost:1389</module-option>
            <module-option name="java.naming.security.authentiaction">simple</module-option>
            <module-option name="principalDNPrefix">uid=</module-option>
            <module-option name="principalDNSuffix">,ou=People,o=solspark</module-option>
            <module-option name="uidAttributeID">uid</module-option>
            <module-option name="roleAttributeID">cn</module-option>
            <module-option name="rolesCtxDN">ou=Groups,o=solspark</module-option>
            </login-module>

            </application-policy>

            • 3. Re: Method Level Permissions?

              Do you declare "java:jaas/SunOneDirectory" as your security domain in jboss.xml?

              • 4. Re: Method Level Permissions?
                aweissman

                ah beautiful! I didn't have the java:jaas/ prefix on it in jboss.xml. Ran it and started getting security exceptions, which is exactly what I wanted. Is there any sample code out there for using the ClientLoginModule?

                Thanks again!
                Alan

                • 5. Re: Method Level Permissions?

                  Security is explained in detail in the 3.0 Administration and Development book, available from http://www.jboss.org/docs.

                  • 6. Re: Method Level Permissions?
                    aweissman

                    Thanks Juha :)
                    I RTFM and i've created my simple testclient based on the example. now i'm having trouble with auth.conf not being found on execution. can't i just put this in with my client class files for use during runtime?

                    • 7. Re: Method Level Permissions?
                      aweissman

                      nm thanks :)