Form Authentication
jh9999 Oct 31, 2005 12:43 PMI would like to start by stating that im a beginer in Jaas security, I have read Mr. Stark's Howto and implemented the example with no problem using <auth-method>BASIC</auth-method> however when I have changed the login-config to <auth-method>FORM</auth-method> the Echo (EchoUser) role is no longer propagating to the echo method in PublicSession ejb.
here is my code:
web.xml
... <security-constraint> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <description>Declarative security tests</description> <url-pattern>/restricted/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>Echo</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>A user allowed to invoke echo methods</description> <role-name>Echo</role-name> </security-role> ...
ejb-jar.xml
<enterprise-beans> <session> <description>A trival stateless session echo bean</description> <ejb-name>PublicSession</ejb-name> <home>org.jboss.docs.jaas.howto.SessionHome</home> <remote>org.jboss.docs.jaas.howto.Session</remote> <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Container</transaction-type> <ejb-ref> <ejb-ref-name>ejb/PrivateSession</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>org.jboss.docs.jaas.howto.SessionHome</home> <remote>org.jboss.docs.jaas.howto.Session</remote> <ejb-link>PrivateSession</ejb-link> </ejb-ref> <security-role-ref> <role-name>EchoUser</role-name> <role-link>Echo</role-link> </security-role-ref> <security-identity> <run-as> <role-name>InternalUser</role-name> </run-as> </security-identity> </session>
the problem is that in the EJBServlet.java request.isUserInRole("EchoUser") returns false instead of true but when authentication is Basic it returns true
here is a slice of the error stack:
11:57:56,082 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo
], principalRoles=[]
11:57:56,082 ERROR [LogInterceptor] EJBException in method: public abstract java.lang.String org.jboss.docs.jaas.howto.Session.echo(java.lan
g.String) throws java.rmi.RemoteException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo], principal
Roles=[]
How can I fix this problem, Please advise?