3 Replies Latest reply on Mar 3, 2004 4:54 AM by starksm64

    Security flaw in JBoss ?

    joaocm
    joaocm Mar 2, 2004 9:00 AM

      Hi,

      I have create some SLSBs with declarative security and a custom Login Module. I have a text mode client that uses JBoss client-login and needs to be (as expected) validated before I make some calls to the beans.

      But now, I'm developing a new client that is based in eclipse (eclipse plugin). With this one is possible to call my EJB methods without logging and even configuring the client-login module !! The security is ignored !

      In a eclipse plugin, because each plugin has it own classloader, we need to do this below, to properly create a EJBHome reference. Maybe the problem is there ! Anyone knows this problem ??

      protected EJBHome getSeviceHome(String serviceName, Class clazz)
{

 //Change de ClassLoader for The Initial Context ClassLoader
 ClassLoader oldClassLoader = Tread.currentThread().getContextClassLoader();
 Thread.currentThread().setContextClassLoader(getContextClassLoader());

 try
 {
 Object objref = getInitialContext().lookup(serviceName);
 EJBHome home = (EJBHome) PortableRemoteObject.narrow(objref, clazz);
 return home;
 }
 catch (Throwable e)
 {
 log.fatal(e);
 return null;
 }
 finally
 {
 // reset the context classloader
 Thread.currentThread().setContextClassLoader(oldClassLoader);
 }
}


      • 2822 Views
      • Tags:
        • 1. Re: Security flaw in JBoss ?
          starksm64
          starksm64 Mar 2, 2004 9:37 AM (in response to joaocm)

          Without a specfication and configuration of a security-domain in a jboss.xml descriptor there is no security. Validate that the eclipse plugin in correctly configuring the jboss.xml descriptor.

            • Actions
          • 2. Re: Security flaw in JBoss ?
            joaocm
            joaocm Mar 2, 2004 10:11 AM (in response to joaocm)

            jboss.xml is correctly configured in the Server. I'm using a eclipse plugin as an EJB client.

            The problem is that my eclipse plugin client bypasses the security context that I have configured.
            But if I use my command-line client it works as expected (the login process must be done to call some method).

            Debugging my EJB I see that the principal in the session context is null when called by the eclipse plugin. But the method is called and works.

            ejb-jar.xml

            ...
 <method-permission >
 <description></description>
 <role-name>customer</role-name>
 <role-name>internal</role-name>
 <method >
 <description></description>
 <ejb-name>ProjectService</ejb-name>
 <method-name>*</method-name>
 </method>
 </method-permission>
...


            jboss.xml 
            <jboss>
 <security-domain>java:/jaas/sinergia</security-domain>
 <enterprise-beans>
 <session>
 <ejb-name>ProjectService</ejb-name>
 <jndi-name>ProjectService</jndi-name>
 </session>
 </enterprise-beans>
 <resource-managers>
 </resource-managers>
</jboss>


              • Actions
            • 3. Re: Security flaw in JBoss ?
              starksm64
              starksm64 Mar 3, 2004 4:54 AM (in response to joaocm)

              I don't use eclipse, so try the JBossIDE forum.

                • Actions