2 Replies Latest reply on Jul 7, 2004 4:34 PM by starksm64

    servlet call EJB secured -> Authentication exception, princi

    pedrosalazar
    pedrosalazar Jul 1, 2004 4:33 PM

      Greetings,

      I'm trying to invoke a secured EJB (methods permission) in my servet but even with the run-as in my web.xml to set the role authorized in my EJB, I got always the error below:

      2004-07-01 21:19:52,661 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[ServiceServlet]: Servlet.service() for servlet ServiceServlet threw exception
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
 Authentication exception, principal=null


      My web.xml: 
      <web-app>
 <servlet>
 <servlet-name>ServiceServlet</servlet-name>
 <display-name>Service HTTP/XML Servlet</display-name>
 <description>UIF Interface HTTP/XML</description>
 <servlet-class>pt.ptinovacao.nginpro.uif.http.ServiceServlet</servlet-class>

 <load-on-startup>5</load-on-startup>
 <run-as>
 <role-name>engine-user</role-name>
 </run-as>
 ...
 <security-role>
 <description>permission to execute UIF engine</description>
 <role-name>engine-user</role-name>
 </security-role>

 </servlet>
</web-app>


      My ejb-jar.xml of my EJB: 
      <ejb-jar >
...
 <method-permission >
 <description>role granted</description>
 <role-name>engine-user</role-name>
 <method >
 <description>create method</description>
 <ejb-name>ServiceManager</ejb-name>
 <method-intf>LocalHome</method-intf>
 <method-name>create</method-name>
 <method-params>
 </method-params>
 </method>
 </method-permission>
</ejb-jar>


      Any help would be very appreciated.

      Regards,
      Pedro Salazar.

      • 3324 Views
      • Tags:
        • 1. Re: servlet call EJB secured -> Authentication exception, pr
          pedrosalazar
          pedrosalazar Jul 5, 2004 10:25 AM (in response to pedrosalazar)

          Hi,

          Apparently, the problem is not a failure of the role permission verification, but a problem of a null user authentication. I mean, I set the run-as role in my web.xml, but since I didn't defined any authentication in my web application, the principal was always null.

          I imagine the workflow something like this:

          1) User authentication
          2) role permission

          So, if the in step 1) there isn't any user, the role permission verification in 2) will always fail, probably because of this:

          java.security.Principal getCallerPrincipal()
boolean isCallerInRole(String roleName)

          I workaround this by setting a dummy user in login-config.xml for the "other" profile to avoid the null principal: 
           <authentication>
 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required" >
 <module-option name = "unauthenticatedIdentity">nobody</module-option>

 </login-module>
 </authentication>

          So, I would like to ask a new question:

          -How can I set a Principal in my servlet code for the JAAS authentication in a programatic way?

          If the Principal is null, then I set a dummy Principal, and using the "run-as" element in web.xml, I could solved the problem...

          The advantage is avoiding a specific JBOSS configuration, even I'm developing for JBOSS.

          Regards,
          Pedro Salazar.

            • Actions
          • 2. Re: servlet call EJB secured -> Authentication exception, pr
            starksm64
            starksm64 Jul 7, 2004 4:34 PM (in response to pedrosalazar)

            You can't. There is no portable spec method for establishing the anonymous caller identity.

              • Actions