Problems Using DabaseServerLoginModule
Hi,
I'm having problems setting up JAAS security in JBoss 3.2.3.
(I have few years experience as java programmer, but JBoss is relatively new to me). I would be grateful if someone can help me with this problem.
I configured DatabaseServerLoginModule, set up Principals and Roles tables in HSQL as described in JBoss documentation, written custom CallBack handler.
When I invoke login from servlet, Subject is found correctly as defined in database tables and login parameters supplied to handler. So user was authenticated: user name and role printed out correctly. The test code is:
LoginContext loginContext = new LoginContext("client-login", handler);
loginContext.login();
Subject subject = loginContext.getSubject();
System.out.println("Subject from servlet : " + subject.toString());
accDelegate = new AccountDelegate();
String message = accDelegate.createAccountFacade();
System.out.println(message);When I try to create AccountFacade bean (stateful session bean), from accDelegate object (Business Delegate and Service Locator design patterns are applied), I get SecurityException insufficient method permissions. Required role=[Buyer] principal roles=null. But servlet already confirmed that the Principal was authenticated with the role 'Buyer'. It looks like the authenticated Subject is not propaged by the container with the next method call.
The other settings are as follows:
login-config.xml
<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name = "client-login">
<authentication>
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</authentication>
</application-policy>
<!-- =================================================================================
LOG IN MODULE added by me
Login module uses dabase to check user name and password -->
<application-policy name = "dbAuthentication">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">nobody</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>
<!-- =================================================================================== -->
</policy>
auth.conf
other {
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
;
// Put your login modules that need jBoss here
};
client-login {
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
;
// Put your login modules that need jBoss here
};
dbAuthentication {
// jBoss LoginModule added by me
org.jboss.security.auth.spi.DatabaseServerLoginModule required
;
unauthenticatedIdentity="nobody";
dsJndiName="java:/DefaultDS"
// Put your login modules that need jBoss here
};
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 3.2//EN" "http://www.jboss.org/j2ee/dtd/jboss_3_2.dtd">
<jboss>
<security-domain>java:/jaas/dbAuthentication</security-domain>
<unauthenticated-principal>nobody</unauthenticated-principal>
<enterprise-beans>
<session>
<ejb-name>AccountFacadeBean</ejb-name>
<jndi-name>AccountFacadeBean</jndi-name>
</session>
<session>
<ejb-name>AccountControl</ejb-name>
<jndi-name>AccountControl</jndi-name>
<local-jndi-name>AccountControlLocal</local-jndi-name>
</session>
</enterprise-beans>
</jboss>
ejb-jar.xml
................ other tags ............
<security-role>
<role-name>Buyer</role-name>
</security-role>
<security-role>
<role-name>Supplier</role-name>
</security-role>
<method-permission>
<role-name>Buyer</role-name>
<method>
<ejb-name>AccountFacadeBean</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
</method>
<method>
<ejb-name>AccountFacadeBean</ejb-name>
<method-intf>Remote</method-intf>
<method-name>getUser</method-name>
</method>
</method-permission>
Thank you in advance
Natalia
