It's not than I'm not going to authenticate user at web layer. Of course I will authenticate him. But I can forget something and leave a possibility for user/hacker to call my business method without authentication. That would be really bad. So now I'm trying to test this declarative permission setting and it doesn't work for me =(
After debugging I came to the same conclusion: anauthenticated user is assigned principal 'nobody'. But he isn't in role XUser, so theoretically he shouldn't be able to call method getInfo ...
Here is listing with tracing turned on:
10:05:46,792 DEBUG [UserAjax] Setting Info ...
10:05:46,792 TRACE [SecurityAssociation] getPrincipal, principal=null
10:05:46,792 TRACE [LogInterceptor] Start method=create
10:05:46,792 TRACE [db_store] Begin isValid, principal:null, cache info: null
10:05:46,792 TRACE [db_store] defaultLogin, principal=null
10:05:46,792 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(db_store), size=9
10:05:46,792 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(db_store), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=hashEncoding, value=hex
name=rolesQuery, value=SELECT 'XUser', 'Roles' FROM users WHERE usr_login = ?
name=principalsQuery, value=SELECT usr_password FROM users WHERE usr_login = ?
name=unauthenticatedIdentity, value=nobody
name=hashAlgorithm, value=SHA1
name=ignorePasswordCase, value=true
name=dsJndiName, value=DS/Standard
10:05:46,792 TRACE [DatabaseServerLoginModule] initialize, instance=@15500446
10:05:46,792 TRACE [DatabaseServerLoginModule] Saw unauthenticatedIdentity=nobody
10:05:46,792 TRACE [DatabaseServerLoginModule] Password hashing activated: algorithm = SHA1, encoding = hex, charset = {default}, callback = null, storeCallback = null
10:05:46,792 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=DS/Standard
10:05:46,792 TRACE [DatabaseServerLoginModule] principalsQuery=SELECT usr_password FROM users WHERE usr_login = ?
10:05:46,792 TRACE [DatabaseServerLoginModule] rolesQuery=SELECT 'XUser', 'Roles' FROM users WHERE usr_login = ?
10:05:46,792 TRACE [DatabaseServerLoginModule] suspendResume=true
10:05:46,792 TRACE [DatabaseServerLoginModule] login
10:05:46,792 TRACE [DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=nobody
10:05:46,792 TRACE [DatabaseServerLoginModule] User 'nobody' authenticated, loginOk=true
10:05:46,792 TRACE [DatabaseServerLoginModule] commit, loginOk=true
10:05:46,792 TRACE [db_store] defaultLogin, lc=javax.security.auth.login.LoginContext@155e0bc, subject=Subject(18178978).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members))
10:05:46,792 TRACE [db_store] updateCache, inputSubject=Subject(18178978).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members)), cacheSubject=Subject(20991057).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members))
10:05:46,792 TRACE [db_store] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5292e6[Subject(20991057).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members)),credential.class=null,expirationTime=1151044507027]
10:05:46,792 TRACE [db_store] End isValid, true
10:05:46,792 TRACE [SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: nobody
Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@12a6e85{principal=null,subject=12450318}
10:05:46,792 TRACE [SecurityInterceptor] Authenticated principal=null
10:05:46,792 TRACE [SecurityInterceptor] method=public abstract ru.singlecity.ejb.main.user.User ru.singlecity.ejb.main.user.UserHome.create() throws java.rmi.RemoteException,javax.ejb.CreateException, interface=HOME, requiredRoles=[<ANYBODY>]
10:05:46,792 TRACE [SecurityAssociation] pushRunAsIdentity, runAs=null
10:05:46,792 TRACE [TxInterceptorCMT] Current transaction in MI is null
10:05:46,792 TRACE [TxInterceptorCMT] TX_REQUIRED for create timeout=0
10:05:46,792 TRACE [TxInterceptorCMT] Thread came in with tx null
10:05:46,792 TRACE [TxInterceptorCMT] Starting new tx TransactionImpl:XidImpl[FormatId=257, GlobalId=RUMATA/21, BranchQual=, localId=21]
10:05:46,807 TRACE [StatelessSessionInstancePool] Get instance org.jboss.ejb.plugins.StatelessSessionInstancePool@6bcf5d#0#class ru.singlecity.ejb.main.user.UserBean
10:05:46,823 TRACE [StatelessSessionInstancePool] 0/100 Free instance:org.jboss.ejb.plugins.StatelessSessionInstancePool@6bcf5d#null#null#true#class ru.singlecity.ejb.main.user.UserBean
10:05:46,823 TRACE [TxInterceptorCMT] TxInterceptorCMT: In finally
10:05:46,823 TRACE [SecurityAssociation] popRunAsIdentity, runAs=null
10:05:46,823 TRACE [SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@12a6e85{principal=null,subject=12450318}
10:05:46,823 TRACE [LogInterceptor] End method=create
10:05:46,823 TRACE [SecurityAssociation] getPrincipal, principal=null
10:05:46,823 TRACE [LogInterceptor] Start method=getInfo
10:05:46,823 TRACE [db_store] Begin isValid, principal:null, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5292e6[Subject(20991057).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members)),credential.class=null,expirationTime=1151044507027]
10:05:46,823 TRACE [db_store] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5292e6[Subject(20991057).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members)),credential.class=null,expirationTime=1151044507027];credential.class=null
10:05:46,823 TRACE [db_store] End validateCache, isValid=true
10:05:46,823 TRACE [db_store] End isValid, true
10:05:46,823 TRACE [SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: nobody
Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@139d369{principal=null,subject=23507167}
10:05:46,823 TRACE [SecurityInterceptor] Authenticated principal=null
10:05:46,823 TRACE [SecurityInterceptor] method=public abstract ru.singlecity.ejb.common.entity.user.UserInfoEntity ru.singlecity.ejb.main.user.User.getInfo(long) throws java.rmi.RemoteException, interface=REMOTE, requiredRoles=[<ANYBODY>]
10:05:46,823 TRACE [SecurityAssociation] pushRunAsIdentity, runAs=null
10:05:46,823 TRACE [TxInterceptorCMT] Current transaction in MI is null
10:05:46,823 TRACE [TxInterceptorCMT] TX_SUPPORTS for getInfo
10:05:46,823 TRACE [TxInterceptorCMT] Thread came in with tx null
10:05:46,823 TRACE [StatelessSessionInstancePool] Get instance org.jboss.ejb.plugins.StatelessSessionInstancePool@6bcf5d#1#class ejb.main.user.UserBean
10:05:46,823 TRACE [db_store] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5292e6[Subject(20991057).principals=org.jboss.security.SimplePrincipal@7173558(nobody)org.jboss.security.SimpleGroup@25881278(Roles(members)),credential.class=null,expirationTime=1151044507027]
10:05:46,823 ERROR [UserOracleDAO] couldn't find login
ejb.common.NoSuchLoginException: User with following login not found, login='nobody'
at dao.user.UserOracleDAO.getUserIDByLogin(UserOracleDAO.java:1066)
......