-
1. Re: Issue with FORM security with Web and EJB tier.
mickknutson Mar 15, 2003 2:17 AM (in response to mickknutson)Here is the files as stated above.
-
2. Re: Issue with FORM security with Web and EJB tier.
mickknutson Mar 21, 2003 2:42 AM (in response to mickknutson)ping?
After another week of searching for the root issue, I am still no closer to solving this, but incredibly upset at all the lost time I have spent on this.
I am using Jbos 3.0.6 on NT 4.0 SP6 with MySql.
No matter what I do, you can type username: "heapsOfCrap" and password: "meaninglessCharacters" and _always_ get authenticated, "user", and "admin" role assigned.
I would be very appreciative if someone can take 5 minutes to help me solve this issue that I have spent 50+ hours on.
Thanks in advance...
Mick -
3. Re: Issue with FORM security with Web and EJB tier.
petertje Mar 21, 2003 3:24 AM (in response to mickknutson)Mick,
There is no jboss-web.xml file in your zip. This is necessary to connect to jboss security. It should have the following contents:
<jboss-web>
<security-domain>java:/jaas/yoursos-policy</security-domain>
</jboss-web>
Hth,
Peter -
4. Re: Issue with FORM security with Web and EJB tier.
petertje Mar 21, 2003 3:26 AM (in response to mickknutson)And put it in the WEB-INF directory of your war of course ;-)
-
5. Re: Issue with FORM security with Web and EJB tier.
mickknutson Mar 21, 2003 4:44 AM (in response to mickknutson)Thank you soooooo much!
I do have an additional question:
I use XDoclet for all my other jboss*.xml file generation.
is the security domain the only thing I need in jboss-web.xml?
XDoclet will generate that file for me fairly easily with the security domain, but I have not used that file thusfar, s do not know what else needs, or can go into it. -
6. Re: Issue with FORM security with Web and EJB tier.
petertje Mar 21, 2003 6:26 AM (in response to mickknutson)Well, that depends of course. The jboss-web.xml lets you map resource and ejb refs and can be used for specifying context root (although that should preferably go in the application.xml in the .ear) and virtual hosts. But you can do without it; the security domain is the most important (and probably the most used ;-) property in this file.
Refer to /docs/dtd/jboss-web_3_0.dtd for a complete description.
Cheers,
Peter. -
7. Re: Issue with FORM security with Web and EJB tier.
mickknutson Apr 1, 2003 2:14 AM (in response to mickknutson)OK, I just got finished with my sidetrack, and tried this out. Here is what I found:
I added jboss-web.xml with my realm. If I logon with username: "junk", password: "junk", I get directed to /error.jsp like I was expecting. However, when I put password: "mick", password: "myPassword", I get a 403 NOT AUTHORIZED error _every_ time.
I have 2 rows in the USER_ROLES table:
username: "mick", role: "user", group: "user"
username: "mick", role: "admin", group: "user"
When I remove the jboss-web.xml, I can logon with username "mick", but j_subject=null in the debug messages, and this gives me a security violation when creating a Session EJB.
The security error I get with jboss-web.xml removed, and trying to create a Session Bean:
=================================
07:44:19,378 ERROR [SecurityInterceptor] Insufficient method permissions, principal=mknutson,
method=create, interface=HOME,
requiredRoles=[], principalRoles=null
07:44:19,398 ERROR [LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=mknutson,
method=create, interface=HOME, requiredRole
s=[], principalRoles=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:228)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129)
at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300)
at org.jboss.ejb.Container.invoke(Container.java:730)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:77)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:80)
at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:198)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76)
at $Proxy35.create(Unknown Source)
at com.baselogic.yoursos.delegates.UserServicesDelegate.(UserServicesDelegate.java:36)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
at java.lang.Class.newInstance0(Class.java:306)
at java.lang.Class.newInstance(Class.java:259)
at com.baselogic.yoursos.delegates.ServicesFactory.createUserServices(ServicesFactory.java:33)
at com.baselogic.yoursos.struts.BaseDispatchAction.getUserService(BaseDispatchAction.java:43)
at com.baselogic.yoursos.user.ProfileActions.defaultMethod(ProfileActions.java:79)
at com.baselogic.yoursos.struts.BaseDispatchAction.unspecified(BaseDispatchAction.java:179)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:260)
at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:480)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1420)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:502)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:360)
at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicationHandler.java:328)
at com.baselogic.yoursos.security.SecurityContextFilter.doFilter(SecurityContextFilter.java:99)
at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicationHandler.java:320)
at com.baselogic.yoursos.user.UserPreferenceFilter.doFilter(UserPreferenceFilter.java:50)
at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicationHandler.java:320)
at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler.java:272)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:553)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1717)
at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.java:549)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1667)
at org.mortbay.http.HttpServer.service(HttpServer.java:862)
at org.jboss.jetty.Jetty.service(Jetty.java:497)
at org.mortbay.http.HttpConnection.service(HttpConnection.java:759)
at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:923)
at org.mortbay.http.HttpConnection.handle(HttpConnection.java:776)
at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:202)
at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:289)
at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:455)
================================= -
8. Re: Issue with FORM security with Web and EJB tier.
mickknutson Apr 1, 2003 2:16 AM (in response to mickknutson)Here are the attachments