4 Replies Latest reply on Mar 25, 2006 1:02 PM by starksm64

    @SecurityDomain Annotation clarification.

    nkoranne

      Hello,

      I am using JBoss4.0.3SP1 and EJB 3.0 . I am trying to use the Annotation approach for adding the SecurityDomain. (I am not using jboss.xml and ejb-jar.xml approach)

      I successfully able to perform the Authentication using the SRP implementation, but not able to perform Authorization.

      Here are the details of Annotation approach.
      I think my security domain class is not picked up by JBoss. So Unauthorized user also can able to access the method which is he is not supposed to access.

      For the annotation approach , I have used following
      tags for my bean class.

      @Stateless
      @SecurityDomain("DBLogin")
      public class UserMgmtServiceBean implements UserMgmtService

      and for the method in this class this is what I have written

      @RolesAllowed({ "ManageUsers"})
      public boolean addUser(Object obj) throws Exception
      {
      // calling the next addUser of the DAO class.
      }

      These are the contents of my login-config.xml file.

      <application-policy name="DBLogin">

      <login-module
      code="org.jboss.security.ClientLoginModule"
      flag="required">
      </login-module>
      <login-module
      code="org.jboss.security.srp.jaas.SRPCacheLoginModule"
      flag="required">
      <module-option
      name="cacheJndiName">srp/AuthenticationCache</module-option>
      </login-module>
      <login-module code="test.DatabaseRoleLoginModule"
      flag="required">
      <module-option
      name="password-stacking">useFirstPass</module-option>
      <module-option
      name="dsJndiName">java:/AMPDS</module-option>
      <module-option name="rolesQuery">SELECT
      TRIM(Roles.name), 'Roles' FROM
      Roles,GroupRoles,Groups,UserGroups,Users WHERE
      Roles.id=GroupRoles.roleID AND
      GroupRoles.groupID=Groups.id AND
      UserGroups.groupID=Groups.ID AND
      UserGroups.userID=Users.id AND
      Users.username=?</module-option>
      <module-option
      name="dbDriver">org.gjt.mm.mysql.Driver</module-option>
      <module-option
      name="dbURL">jdbc:mysql://localhost/TestDB</module-option>
      </login-module>

      </application-policy>

      DatabaseRoleLoginModule is my custom login module, but since I am not able to retrieve the roles, the Authorization is not happening ... Please let me know if there is any missing link.

      I have searched on the Developer's forum before posting this query., but could not able to find the related information.

      so in my case, a guest user who is not having the role ManageUsers is able to perform addUser operation.

      Any thoughts?

      Thanks
      Nik

        • 1. Re: @SecurityDomain Annotation clarification.
          starksm64

          Showing @SecurityDomain without the import is not meaningful. There is more than one SecurityDomain implementation.

          • 2. Re: @SecurityDomain Annotation clarification.
            nkoranne

            Hi Scott,

            I am sorry for not showing the imports.
            Here are those ...

            import org.jboss.aspects.security.SecurityDomain;
            import javax.ejb.Stateless;
            import javax.annotation.security.RolesAllowed;


            @Stateless
            @SecurityDomain("DBLogin")
            public class UserMgmtServiceBean implements UserMgmtService

            {
            // .. All methods implementations
            }


            Since my security domain is not getting appled , is there any global security setting in a configuration file which is missing?

            Please let me know.

            Thanks
            Nik

            • 3. Re: @SecurityDomain Annotation clarification.
              nkoranne

              This is working ..

              I changed the package to org.jboss.annotation.security.SecurityDomain
              and everything started working like a breeze.

              but still the question remains, why it is not working with org.jboss.aspects.security.SecurityDomain package.

              Any hints ?

              Thanks
              Nik


              • 4. Re: @SecurityDomain Annotation clarification.
                starksm64

                That is like asking why java.util.ArrayList does not the same as com.acme.ArrayList. There are two completely different types even if they happen to look the same.