8 Replies Latest reply on Oct 12, 2006 5:58 AM by rhino247365

    Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

    danieldestro

      Hello all,

      I am trying to build a very simple JavaEE application with JAAS, but I getting mad.

      I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.

      First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:

      <application-policy name="exemplo1">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option>
       <module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option>
       <module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option>
       </login-module>
       </authentication>
       </application-policy>


      Next I configured the "web.xml" file like this:

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Restricted</web-resource-name>
       <description>Declarative security tests</description>
       <url-pattern>*.do</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>xxx</role-name>
       </auth-constraint>
       <user-data-constraint>
       <description>no description</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
      </security-constraint>
      
      <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>exemplo1</realm-name>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/loginErro.jsp</form-error-page>
       </form-login-config>
      </login-config>
      
      <security-role>
       <description>Role xxx</description>
       <role-name>xxx</role-name>
      </security-role>


      Notice that I am using the "xxx" role to protect the "*.do" URL pattern.

      The "jboss-web.xml" is like this:

      <?xml version="1.0"?>
       <jboss-web>
       <security-domain>java:/jaas/exemplo1</security-domain>
       </jboss-web>


      As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.

      Now I wanna to be able to also protect my EJBs.

      My Stateless Session Bean is implemented as follow:

      @RolesAllowed("yyy")
       @Stateless(name="UserManagement")
       public class UserManagementBean implements UserManagement {
       public void add(User user) {
       //...
       }
       }


      When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.

      If I add the "jboss.xml" file, like this:

      <?xml version="1.0"?>
       <jboss>
       <security-domain>java:/jaas/exemplo1</security-domain>
       </jboss>


      I start getting this stack trace:

      ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
      at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      ...


      Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???

      Thanks
      Daniel

        • 1. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
          jaikiran

          Add the following annotation:

          @SecurityDomain("exemplo1")
          public class UserManagementBean implements UserManagement {
          ....
          }


          to your bean so that the security domain is set.

          Even your manual modification to the jboss.xml should have worked. Are you sure that you have correctly added the security-domain to the jboss.xml (make sure you have not made any spelling mistakes about the security-domain name)? Looking at the stacktrace instead of picking up "exemplo1" its picking up "other" (which uses UsersRolesLoginModule) from the login-config.xml





          • 2. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
            danieldestro

            Thanks, buddy.

            I only did 'copy & paste' here... So, no chance to have a typo. Even because I copied the security-domain from jboss-web.xml to jboss.xml.

            Is @SecurityDomain("exemplo1") mandatory? Or only if I do not provide jboss.xml config?

            Even providing @SecurityDomain("exemplo1") and jboss.xml, it does not work. Same error occurs.

            • 3. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
              danieldestro

              Using @SecurityDomain("exemplo1") in my EJB and NOT providing jboss.xml, it works.

              Damn! This is some serious shit... I don´t want to configure this in every single EJB.

              EJB 3.0 is nice, but some small trivial details like this and others, that was forgotten by Sun, piss me off!

              • 4. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
                benm99

                I've had exactly the same problem, using the annotation and removing the configuration file did work. Shouldn't we should just be able to use the XML configuration without having to import these annotations into our code?

                • 5. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
                  parmarsanjay

                  I also ran into same issue. I did package jboss.xml but it had no effect. I had to specify the @SecurityDomain in my session beans to get the security working.

                  • 6. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
                    jaikiran

                    Going by the number of people reporting this problem, i decided to test a sample application. Here's what i found:

                    - It looks like the way you mention the security domain in the jboss.xml has changed. In earlier versions, you were supposed to specify something like:

                    <jboss>
                     <security-domain>java:/jaas/jbossmq</security-domain>
                    </jboss>


                    i.e the entire jndi name.

                    However this version JBoss4.0.4 GA (i tried out only on this version), needs you to specify only the security domain name. Something like:

                    <jboss>
                     <security-domain>jbossmq</security-domain>
                    </jboss>


                    This worked for me(Replace the jbossmq with any other security domain name that you want to use and is defined in login-config.xml). I did not specify any SecurityDomain annotation in the bean and just added the above mentioned line in jboss.xml and it worked. So conclusion is, you can still use the jboss.xml without having to specify a annotation in the bean.

                    Now i am not sure whether this is a bug in JBoss or whether this change in behavior was intentional but was missed out in the documentation. If any JBoss developer considers this as a bug, do let me know, i can provide the test case along with the logs that i have.


                    • 7. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
                      benm99

                      I removed the annotation from the bean, reintroduced the xml configuration using the short anme, rather than the full name and it works for me.

                      Thanks a lot for your help.

                      • 8. Re: Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA

                        Working on a similar area, I added the <security-domain> with short name to jboss-app.xml (under META-INF) and the annotations for RolesAllowed in my Stateless Session beans started working, when previous access exceptions weren't triggered.