Problems using JAAS with EJB 3.0 on JBoss 4.0.4-GA
danieldestro Oct 3, 2006 1:08 PMHello all,
I am trying to build a very simple JavaEE application with JAAS, but I getting mad.
I have an EAR packed with a WAR module an EJB JAR module and a JAR with other classes. Struts is the MVC framework and EJB 3.0 is been used.
First of all, I configured the "login-config.xml" file within /conf directory in JBoss, like this:
<application-policy name="exemplo1"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:jdbc/Infra_Seguranca</module-option> <module-option name="principalsQuery">SELECT COD_USUARIO AS Password FROM USUARIO WHERE COD_USUARIO=?</module-option> <module-option name="rolesQuery">SELECT NOME_ROLE AS Roles, 'Roles' AS RoleGroups FROM ROLE_USUARIO WHERE COD_USUARIO=?</module-option> </login-module> </authentication> </application-policy>
Next I configured the "web.xml" file like this:
<security-constraint> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <description>Declarative security tests</description> <url-pattern>*.do</url-pattern> </web-resource-collection> <auth-constraint> <role-name>xxx</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>exemplo1</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginErro.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>Role xxx</description> <role-name>xxx</role-name> </security-role>
Notice that I am using the "xxx" role to protect the "*.do" URL pattern.
The "jboss-web.xml" is like this:
<?xml version="1.0"?> <jboss-web> <security-domain>java:/jaas/exemplo1</security-domain> </jboss-web>
As it is, it works perfectly, which means, every time I try to access a "*.do" URL it verifies whether I am authenticated and have authroization or not. If not, the login page shows up.
Now I wanna to be able to also protect my EJBs.
My Stateless Session Bean is implemented as follow:
@RolesAllowed("yyy") @Stateless(name="UserManagement") public class UserManagementBean implements UserManagement { public void add(User user) { //... } }
When I run all this, the container simply igoners the @RolesAllowed("yyy") annotation and allow the EJB execution.
If I add the "jboss.xml" file, like this:
<?xml version="1.0"?> <jboss> <security-domain>java:/jaas/exemplo1</security-domain> </jboss>
I start getting this stack trace:
ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...
Am I missing something? What do I have to do to get JAAS working fine with my EJBs? Do I have to also configure and/or provide "ejb-jar.xml" ???
Thanks
Daniel