3 Replies Latest reply on Jan 21, 2006 10:37 AM by anil.saldhana

Unauthenticated security in EJBs

flarosa Jan 20, 2006 11:32 PM

From the FAQ:

Q1: Why cannot I access an ejb that has unchecked method permissions?
A1: The unchecked method permission only removes the requirement that the call have sufficient permissions in terms of roles. The caller still has to be an authenticated caller. If you don't care about caller authentication, use the unauthenticatedIdentity option of the security domain login module to grant anonymous callers a fixed identity.

I (think I) did just what this says:

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>

I still get:

java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=SiteServices, method=create, interface=HOME, requiredRoles=[], principalRoles=[]

Why "principal=null"? Shouldn't principle always be at least guest?

I also tried adding this to my jboss.xml file, to no end:

guest

There are a couple of points I find confusing, though, so perhaps the answer to one of these

questions will help solve the problem.

(1) When I say I want unauthenticatedIdentity to be "guest", does there need to actually be a user named "guest" defined for my security realm (i.e. in this case, in my users.properties file)? I am closely following the examples in a book called "JBoss At Work", and their example doesn't show that there is a need for this. I did try addding such a user, but it didn't help.

(2) In ejb-jar, I defined a security role "guest", as per the book:

<security-role>
<role-name>guest</role-name>
</security-role>

I then assigned "guest" security to my EJB:

<method-permission>
<role-name>guest</role-name>

<ejb-name>SiteServices</ejb-name>
<method-name>*</method-name>

</method-permission>

Is "guest" some kind of a reserved word in this case? If not, then I don't understand why a made-up user called "guest" would also have a role named "guest". Do I need to create a guest user in my properties file and give it a role called "guest"?

I also tried it without the method-permission element; same result.

Methods I've tagged as requiring an actual role do work when I'm logged in as a user with that role, so I'm doing something right. Just need to crack this guest thing.

Thanks.

1. Re: Unauthenticated security in EJBs

flarosa Jan 21, 2006 2:44 AM (in response to flarosa)
<method-permission> <unchecked/> <method> <ejb-name>SiteServices</ejb-name> <method-name>*</method-name> </method> </method-permission>

I'd like to meet the person who decided that "unchecked" had to be explicitly indicated rather than be the default...
Actions
2. Re: Unauthenticated security in EJBs

starksm64 Jan 21, 2006 3:01 AM (in response to flarosa)

That would be me. Buy a ticket to jboss world in las vegas if you want to do something about it. Once I see your registration I'll give you a hint.
Actions
3. Re: Unauthenticated security in EJBs

anil.saldhana Jan 21, 2006 10:37 AM (in response to flarosa)

What is wrong in explictly stating the "unauthenticated" identity?
Actions

Go to original post