This content has been marked as final.
Show 3 replies
-
1. Re: confusion about when requiredRoles=[] (i.e. no required
tcherel Jan 15, 2005 6:24 AM (in response to davehaas)I believe that you will have to explicitly say in the ejb-jar.xml that no roles cheking is required:
<method-permission>
<ejb-name>[your bean name]</ejb-name>
<method-name>*</method-name>
</method-permission>
Thomas -
2. Re: confusion about when requiredRoles=[] (i.e. no required
davehaas Jan 15, 2005 2:22 PM (in response to davehaas)Hi Thomas.
I tried your suggestion but I'm still having some problems. I got it to work using the following setup, but I'm not completely sure it's the proper solution.
1) It seems that you HAVE to have a security domain set up in the jboss-service.xml file to use the jrmp invoker using SSL. If I try to run the jrmp invoker without having defined a security domain it blows up. So, I have this in jboss-service.xml:<!-- Secure RMI/JRMP invoker --> <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker" name="jboss:service=invoker,type=jrmp,socketType=SSL"> <attribute name="RMIObjectPort">14445</attribute> <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory</attribute> <attribute name="RMIServerSocketFactory">org.jboss.security.ssl.RMISSLServerSocketFactory</attribute> <attribute name="SecurityDomain">java:/jaas/simpleSecureSB</attribute> <depends>jboss:service=TransactionManager</depends> <depends>jboss.security:service=JaasSecurityDomain,domain=simpleSecureSB</depends> </mbean>
2) Given that you have to have a security domain defined in jboss-service.xml, you also have to then configure how the authentication works in login-config.xml (otherwise the 'other' domain kicks in). So, I have a simple security domain with the unauthenticatedIdentity attribute set to 'everyone'. Now at least when the client doesn't send any credentials at all, the 'everyone' user is assigned instead. So, I have this in login-config.xml:<application-policy name="simpleSecureSB"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">everyone</module-option> </login-module> </authentication> </application-policy>
3) In the ejb-jar.xml descriptor I have:<assembly-descriptor> <method-permission> <unchecked/> <method> <ejb-name>simpleSecureSB</ejb-name> <method-name>*</method-name> </method> </method-permission> </assembly-descriptor>
4) In the jboss.xml file I have assigned the session bean to the appropriate security domain and told it to use the jrmp invoker over SSL:<security-domain>java:/jaas/simpleSecureSB</security-domain> <enterprise-beans> <session> <ejb-name>simpleSecureSB</ejb-name> <jndi-name>ejb/simpleSecureSB</jndi-name> <configuration-name>Standard Stateless SessionBean</configuration-name> <invoker-bindings> <invoker> <invoker-proxy-binding-name>stateless-ssl-invoker</invoker-proxy-binding-name> </invoker> </invoker-bindings> </session> </enterprise-beans>
Does the setup seem reasonable? It works, but I'm not sure if it can be streamlined any more ...
Cheers,
Dave -
3. Re: confusion about when requiredRoles=[] (i.e. no required
tcherel Jan 15, 2005 6:01 PM (in response to davehaas)I am not JRMP/SSL expert, but if it requires a security domain, then the rest of the setup is the correct one.
Thomas