-
1. Re: Invoking "unchecked" method from servlet init()
juhalindfors Jul 24, 2003 7:13 AM (in response to vprise)Try setting unathenticatedIdentity for your login module.
-- Juha -
2. Re: Invoking "unchecked" method from servlet init()
vprise Jul 24, 2003 1:13 PM (in response to vprise)Thanks for the quick reply. Where do I set unathenticatedIdentity?
I searched the forums, google and the source code and found nothing on the subject. I'll try setting it as a parameter to the login module. -
3. Re: Invoking "unchecked" method from servlet init()
vprise Jul 24, 2003 1:15 PM (in response to vprise)Just a second after posting this turns out I already have this code in my login-config.xml:
<login-module code="org.jboss.security.auth.spi.AnonLoginModule" flag="required">
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>
You must have miss spelled the string. Anyway this obviously doesn't help since I don't go through the login module during the servlet init() method. -
4. Re: Invoking "unchecked" method from servlet init()
vprise Jul 25, 2003 7:02 AM (in response to vprise)Okay, I wrote a workaround. Its crap and I didn't want to do this but apparently its the only way that works that doesn't ivolve getting deep into the guts of JBoss.
I created a servlet that starts a thread in the init() method and calls itself over by requesting its own URL. Then the servlet service method that is running as a guest user can perform the initialization.
This sucks! While it works its:
1. Insecure, since initialization can be a lengthly process people over on the internet can use it as a DoS attack by simply requesting the servlet (they couldn't do the same with a session bean, even a remote session bean won't be accessible VIA the firewall).
2. I have to wait 1 second within the init() in order to do the callback. So JBoss may claim that it finished initialization when in fact it hasn't.
I think the whole JBoss security module is really problematic, someone tried to make it elegant and instead made it too complex and almost useless. -
5. Re: Invoking "unchecked" method from servlet init()
vprise Jul 25, 2003 10:39 AM (in response to vprise)Even this doensn't work and I'm getting tired of this whole thing.
By using unauthenticatedIdentity the servlet gets the guest role but whenever my webclient tries to enter the page (with Basic authentication) it gets back the wrong http reply (as if the permission is denied rather than authentication is required). -
6. Re: Invoking "unchecked" method from servlet init()
pkrishna Jul 31, 2003 5:48 PM (in response to vprise)I have similar problem where I am using some login modules. The method permission is set to unchecked for a create, but get an exception 17:42:06,787 ERROR [LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=Eric, me
thod=create, interface=HOME, requiredRoles=[], principalRoles=null
Any help will be appreciated.