-
1. Re: Does unathenticatedIdentity work in JBoss 3.0.x?
petertje Jan 30, 2003 4:48 PM (in response to panosk)> I have a web application with a restricted area and
> an unrestricted area.
>
> The structure is the following:
>
> /secure (webapp)
> /secure/admin/ (secure area accesible only by the
> admin role) /secure/admin/page1.jsp
> /secure/page2.jsp (accesible by everyone)
>
> when i call page2.jsp directly without being
> authenticated first I get the following error:
_when_ do you get this error? In an EJB, or are you calling getRemoteUser() or....?
the reason can be this: if page2 is not secured (you said: without being authenticated first) no security context is set. using the unauthicated property doesn't help, because the system is not performing a login for un-secured pages...
Hope i made myself clear, if not let me know.
Peter.
>
> java.lang.RuntimeException: checkSecurityAssociation;
> CausedByException
> is:
> Authentication exception, principal=null
>
> I added the unauthenticatedIdentity property at my
> login mdule declaration but nothing changed.
>
> Any ideas or solutions about the problem would be
> very helpful!
>
> Korros Panagiotis.
>
>
>
>
> my login-config.xml contains:
>
> <application-policy name="secure">
>
> <login-module
> le
> code="org.jboss.security.auth.spi.UsersRolesLoginModul
> "
> flag="required">
> <module-option
> ion
> name="unauthenticatedIdentity">nobody</module-option>
> </login-module>
>
> </application-policy> -
2. Re: Does unathenticatedIdentity work in JBoss 3.0.x?
panosk Feb 3, 2003 5:43 AM (in response to panosk)Thanks for your reply.
For your first question the error occures in the ejb container.
Since i posted to this forum i played a litle and discovered that when i used the "IdentityLoginModule" i was able to call my ejb from both the unsecured and secured areas.
This means that the behaviour your describe aplies to "UsersRolesLoginModule". Am i right?
At the end my question still remains. how can i configure jboss so that i have limited access to my ejbs from the unrestricted area? -
3. Re: Does unathenticatedIdentity work in JBoss 3.0.x?
petertje Feb 4, 2003 5:43 PM (in response to panosk)> Thanks for your reply.
You're welcome. ;-)
> Since i posted to this forum i played a litle and
> discovered that when i used the "IdentityLoginModule"
> i was able to call my ejb from both the unsecured and
> secured areas.
> This means that the behaviour your describe aplies to
> "UsersRolesLoginModule". Am i right?
This surprises me, because the behaviour i described is (as you'd expect of course) independent of the login module that is configured. I just checked, to make sure i'm not talking nonsense here, and my sample does not allow access to secured EJBs with IdentityLoginModule either. I also checked the source code (JBoss 3.0.3): it does not authenticate when no security constraint applies.
> At the end my question still remains. how can i
> configure jboss so that i have limited access to my
> ejbs from the unrestricted area?
I can only think of one solution: you have to set the security context yourself. More explanation and code sample can be found at http://www.luminis.nl/publications/websecurity.html
Hth,
Peter.