Hi,
I am using jboss-3.2.1_tomcat-4.1.24 and I have a problem with the security configuration when using a web app on one jboss server that calls ejb methods on another jboss server.
The EJB has a mixture of secured (declaritive security) and non-secured methods. The web app and ejb share the same security domain
<security-domain>java:/jaas/COMSecurityDomain</security-domain>
(in both jboss-web.xml and jboss.xml)
In the login-config.xml on both servers, I have the security domain configured:
<application-policy name = "COMSecurityDomain">
<login-module code = "com.staffware.frameworks.base.security.jboss.StaffwareLoginModule" flag = "required" />
</application-policy>
I have implemented a Login Module (extending AbstractServerLoginModule) that authenticates against a 3rd party system (Staffware).
The ejb calls are made from a servlet in the web app. The sevlet can be accessed from protected and unprotected contexts (web app security).
When the web app and the ejb are on the same server, you log into the web app using forms authentication (invoking the custom login module) and invoke the servlet. This doesn't need to call the login module again because the web app and ejb share the same security domain and are on the same server. The ejb is properly protected no problem. The ejb is also protected if you call it from a non-protected part of the wbe app.
Here's the problem:
When the EJB is on another server, I:
- log in to the web app (login module gets called)
- invoke the servlet to call the ejb - (login module on the EJB srever gets called)
That's OK.
If I:
- start a completely new browser
- from the unsecure part of the web app, call the EJB unsecured method, I pick up the principal from the previously logged in user.
- call the secured method (remember I am unauthenticated) AND IT LETS ME under the principal from the previously logged in user!
This doesn't happen if I call the methods in reverse order, i.e. secured method first.
What's going wrong?
Thanks in advance
Paul Hilliar.
