I'm having a similar problem. I've got a session bean with some authenticated methods and some unchecked methods. They're correct (as far as I can tell) in ejb-jar.xml:
<method-permission id="MethodPermission_7">
<description><![CDATA[description not supported yet by ejbdoclet]]></description>
<unchecked/>
<method id="MethodElement_7">
<description><![CDATA[]]></description>
<ejb-name>ScrumWorksEJB</ejb-name>
<method-intf>ServiceEndpoint</method-intf>
<method-name>getTest</method-name>
<method-params>
</method-params>
</method>
</method-permission>
<method-permission id="MethodPermission_8">
<description><![CDATA[description not supported yet by ejbdoclet]]></description>
<role-name>Team Member</role-name>
<method id="MethodElement_8">
<description><![CDATA[]]></description>
<ejb-name>ScrumWorksEJB</ejb-name>
<method-intf>ServiceEndpoint</method-intf>
<method-name>getAuthenticatedTest</method-name>
<method-params>
</method-params>
</method>
</method-permission>
This is in the jboss.xml:
<security-domain>java:/jaas/ScrumWorks</security-domain>
<unauthenticated-principal>guest</unauthenticated-principal>
and my login-config.xml seems correct:
<application-policy name="ScrumWorks">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/jdbc/ScrumWorksDS</module-option>
<module-option name="principalsQuery">
SELECT password FROM userejb WHERE userName=?
</module-option>
<module-option name="rolesQuery">
SELECT r.roleName as name, 'Roles'
FROM userejb u, roleejb r, userejb_roles_roleejb_users ur
WHERE u.userId=ur.userejb AND r.roleId=ur.roleejb AND u.userName=?
</module-option>
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>
</authentication>
</application-policy>
But when I try to call a method that is marked as "unchecked", I get a 401 error authorization failure. This seemed like a Tomcat error, so I tried chaning the default security domain:
<attribute name="DefaultSecurityDomain">java:/jaas/ScrumWorks</attribute>
which didn't help either.
The server.log file contains:
2006-03-07 10:32:24,027 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=guest
2006-03-07 10:32:24,028 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'guest' authenticated, loginOk=true
2006-03-07 10:32:24,028 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
2006-03-07 10:32:24,028 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets using rolesQuery: SELECT r.roleName as name, 'Roles'
FROM userejb u, roleejb r, userejb_roles_roleejb_users ur
WHERE u.userId=ur.userejb AND r.roleId=ur.roleejb AND u.userName=?, username: guest
2006-03-07 10:32:24,041 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction
2006-03-07 10:32:24,041 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT r.roleName as name, 'Roles'
FROM userejb u, roleejb r, userejb_roles_roleejb_users ur
WHERE u.userId=ur.userejb AND r.roleId=ur.roleejb AND u.userName=?, with username: guest
2006-03-07 10:32:24,085 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] No roles found
2006-03-07 10:32:24,086 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction
2006-03-07 10:32:24,088 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] defaultLogin, lc=javax.security.auth.login.LoginContext@3bc19e, subject=Subject(19164996).principals=org.jboss.securi
ty.SimplePrincipal@31720052(guest)org.jboss.security.SimpleGroup@21726381(Roles(members))
2006-03-07 10:32:24,088 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] updateCache, inputSubject=Subject(19164996).principals=org.jboss.security.SimplePrincipal@31720052(guest)org.jboss.se
curity.SimpleGroup@21726381(Roles(members)), cacheSubject=Subject(17103032).principals=org.jboss.security.SimplePrincipal@31720052(guest)org.jboss.security.SimpleGroup@21726381(Roles(members))
2006-03-07 10:32:24,089 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@16509fe[Subject(17103032).principals=o
rg.jboss.security.SimplePrincipal@31720052(guest)org.jboss.security.SimpleGroup@21726381(Roles(members)),credential.class=null,expirationTime=1141758128525]
2006-03-07 10:32:24,089 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] End isValid, true
2006-03-07 10:32:24,097 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: guest
Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@fd2e1f{principal=null,subject=31392528}
2006-03-07 10:32:24,100 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-03-07 10:32:24,122 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-03-07 10:32:24,122 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@fd2e1f{principal=null,subject=31392528}
2006-03-07 10:32:24,142 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
and
2006-03-07 11:00:27,241 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /scrumworks-api/scrumworks
2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[ScrumWorksEndpoint]' against POST /scrumworks --> true
2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[ScrumWorksEndpoint]' against POST /scrumworks --> true
2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
2006-03-07 11:00:27,242 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
It seems to be ok with the unauthenticatedIdentity, but then rejects access anyway.
Any help someone could provide would be great. I've read the FAQs and searched forums and google and can't seem to let me call non-authenticated methods without authenticating.
Thanks,
Eric