Problem extending Web security to EJBs
flarosa Jan 20, 2006 12:35 PMHello,
I am able to set up accounts and protect web resources in my application, but I'm unable to figure out how to protect my EJBs.
Here is what I have done so far:
(1) I created users.properties and roles.properties files, and deployed them to the ".ear" directory.
(2) I did not create any jboss-web.xml file, so my default security realm ought to be the one defined in the jboss-service.xml file in the Tomcat directory; i.e. java:/jaas/other.
(3) I added all of this to my web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Producer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
Website producers
<role-name>Producer</role-name>
</security-role>
So far this does what I want: when I try to access any web resource at or below /admin, I'm prompted for a login. Entering a name and password from the users.properties file which has the Producer role lets me in.
Next, I want to assign the same protection to some EJB methods, so I did this:
(1) I created a jboss.xml file and typed this into it:
<security-domain>java:/jaas/other</security-domain>
(2) I deployed the jboss.xml file to my EJB's META-INF directory (same place as ejb-jar.xml).
(3) I modified my ejb-jar.xml file as follows:
<security-role>
<role-name>Producer</role-name>
</security-role>
<method-permission>
<role-name>Producer</role-name>
<ejb-name>DataServices</ejb-name>
<method-name>*</method-name>
</method-permission>
(4) I added this code to my EJB client application, which runs outside of the JBoss container:
ht.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
ht.put(Context.PROVIDER_URL, args[0]);
ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
ht.put(Context.SECURITY_PRINCIPAL, username);
ht.put(Context.SECURITY_CREDENTIALS, password);
ht.put(Context.SECURITY_AUTHENTICATION, "simple");
Regardless of what username and password I pass here - valid or invalid - I get this exception when I try to call the create() method on the EJB's home object:
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.AccessException: SecurityException; nested exception is:
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
It would seem that while JBoss has correctly figured out that some sort of login is required to access the EJB, it does not recognize the supplied credentials.
Any advice would be appreciated, thanks.
Frank