@SecurityDomain Annotation clarification.
nkoranne Mar 9, 2006 4:50 AMHello,
I am using JBoss4.0.3SP1 and EJB 3.0 . I am trying to use the Annotation approach for adding the SecurityDomain. (I am not using jboss.xml and ejb-jar.xml approach)
I successfully able to perform the Authentication using the SRP implementation, but not able to perform Authorization.
Here are the details of Annotation approach.
I think my security domain class is not picked up by JBoss. So Unauthorized user also can able to access the method which is he is not supposed to access.
For the annotation approach , I have used following
tags for my bean class.
@Stateless
@SecurityDomain("DBLogin")
public class UserMgmtServiceBean implements UserMgmtService
and for the method in this class this is what I have written
@RolesAllowed({ "ManageUsers"})
public boolean addUser(Object obj) throws Exception
{
// calling the next addUser of the DAO class.
}
These are the contents of my login-config.xml file.
<application-policy name="DBLogin">
<login-module
code="org.jboss.security.ClientLoginModule"
flag="required">
</login-module>
<login-module
code="org.jboss.security.srp.jaas.SRPCacheLoginModule"
flag="required">
<module-option
name="cacheJndiName">srp/AuthenticationCache</module-option>
</login-module>
<login-module code="test.DatabaseRoleLoginModule"
flag="required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="dsJndiName">java:/AMPDS</module-option>
<module-option name="rolesQuery">SELECT
TRIM(Roles.name), 'Roles' FROM
Roles,GroupRoles,Groups,UserGroups,Users WHERE
Roles.id=GroupRoles.roleID AND
GroupRoles.groupID=Groups.id AND
UserGroups.groupID=Groups.ID AND
UserGroups.userID=Users.id AND
Users.username=?</module-option>
<module-option
name="dbDriver">org.gjt.mm.mysql.Driver</module-option>
<module-option
name="dbURL">jdbc:mysql://localhost/TestDB</module-option>
</login-module>
</application-policy>
DatabaseRoleLoginModule is my custom login module, but since I am not able to retrieve the roles, the Authorization is not happening ... Please let me know if there is any missing link.
I have searched on the Developer's forum before posting this query., but could not able to find the related information.
so in my case, a guest user who is not having the role ManageUsers is able to perform addUser operation.
Any thoughts?
Thanks
Nik