6 Replies Latest reply on Apr 17, 2003 12:06 PM by petertje

principalRoles=null after login from client app

lordlust Apr 17, 2003 6:30 AM

I have secured a stateless session bean with jaas, using custom login modules. When i login using a servlet, everything works fine, I can access the secured methods of the session bean.
However, when i login from a client application, I get the following security exception when trying to call the create method of the session bean:

java.lang.SecurityException: Insufficient method permissions, principal=jlust, method=create, interface=HOME, requiredRoles=[top], principalRoles=null

The login modules do work as expected, the login succeeds and the correct principals are added to the "Roles" group of the Subject, but somehow the Roles-group is lost by the time the create-method is called.

Does anyone know what i could be doing wrong here?

1. Re: principalRoles=null after login from client app

petertje Apr 17, 2003 7:43 AM (in response to lordlust)

did you use ClientLoginModule in your client app?

Peter
Actions
2. Re: principalRoles=null after login from client app

lordlust Apr 17, 2003 8:02 AM (in response to lordlust)

Yes, here's my auth.conf:

other {
be.ac.rug.security.loginmodules.ClientLoginModule required;
};
Actions
3. Re: principalRoles=null after login from client app

petertje Apr 17, 2003 8:33 AM (in response to lordlust)

sorry, i meant the jboss ClientLoginModule
I can not see from here if your be.ac.rug.security.loginmodules.ClientLoginModule is implemented correctly.
Why don't you just use the jboss ClientLoginModule?
Actions
4. Re: principalRoles=null after login from client app

lordlust Apr 17, 2003 10:00 AM (in response to lordlust)

I just tried using the jboss ClientLoginModule, but the problem is still there.
The reason we're using a custom ClientLoginModule is because we need a username, password and pin-code to log in.
Actions
5. Re: principalRoles=null after login from client app

lordlust Apr 17, 2003 10:41 AM (in response to lordlust)

OK, i found the problem, the login-config on the server had the wrong login module.
Actions
6. Re: principalRoles=null after login from client app

petertje Apr 17, 2003 12:06 PM (in response to lordlust)

Let me clarify this: using your own custom login module is ok, but in a client application (i.e. a different VM) you should combine your own custom login module with JBoss' ClientLoginModule. The last will take care of associating proper security credentials with any thread that is calling an EJB. If you are not using this module, you might get such behaviour as you described: the login succeeds, but subsequent calls fail with a security exception.

Hope this helps...
Peter.
Actions

Go to original post