4 Replies Latest reply on May 24, 2003 3:35 AM by juhalindfors

Authentication exception principal =null when I dont want to

rshinde Mar 18, 2003 7:00 PM

In my ear file I have two jar files with two ejbs - one secure via JAAS and the other unsecured.

When I call the USecuredEJB's method from my JUnit test case I dont do a loginContext as its unsecured.
Still I get the exception

java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.ServerException: EJBException:; nested exception is:
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Authentication exception, principal=null

I tried with and without the following in the ejb-jar.xml file for the UnSecuredEJB:
<method-permission>

<ejb-name>UnSecuredEJB</ejb-name>
<method-name>*</method-name>

</method-permission>

In jboss.xml file for this UnSecureEJB
I tired both
no security-domain tag and one with <security-domain/>
Still no change.

The moment I remove the security from my SecuredEJB (in the other jar file).
Everything works fine.

Any ideas how to prevent this from happenning.

And how can a secured and unsecured EJB co-exist in the same application?
How a secured and unsecured EJB could co-exist in the same jar file, if its possible with JBoss as its possible in Weblogic?

Thanks,
Rahul

1. Re: Authentication exception principal =null when I dont wan

msmckibben May 20, 2003 2:14 AM (in response to rshinde)

Did you ever find a solution to this problem? I have exactly the same problem with 3.2.

The only hack/workaround is to have an adapter layer between my clients that log into JAAS with the JBoss client-adapter. I shouldn't have to perform a login for unchecked method permissions!
Actions
2. Re: Authentication exception principal =null when I dont wan

zorzella May 21, 2003 4:42 PM (in response to rshinde)

I'm also interested in the topic. All my attempts to have unchecked methods seem to fail.

Another related issue is that I wanted to query the DB through an (unchecked) EJB to get the username/password info, but that results in an infinite loop, because the security interceptor is calling my Login handler even for this unchecked method.

Any info is appraciated. Thanks,

Zorzella
Actions
3. Re: Authentication exception principal =null when I dont wan

zorzella May 22, 2003 1:25 PM (in response to rshinde)

I found the reason for that. The "unchecked" flag relates to authorization, not authentication. In other words, any authenticated user, regardless of role, may execute it, but non-authenticated users can't. I, personally, think that is just silly -- a gross oversight -- but that is what all the docs seem to imply. Check the dtd at http://java.sun.com/dtd/ejb-jar_2_0.dtd:

*********
The method-permission element consists of an optional description, a list of security role names or an indicator to state that the method is unchecked for authorization, and a list of method elements.
*********

Note the use of the word authorization, rather than authentication.

Zorzella
Actions
4. Re: Authentication exception principal =null when I dont wan

juhalindfors May 24, 2003 3:35 AM (in response to rshinde)

see unauthenticatedIdentity property in the JBoss security docs, I think that's what you're looking for
Actions

Go to original post