3 Replies Latest reply on Dec 9, 2006 11:51 AM by starksm64

    Custum LoginModule calling EJB in non-default security domai

    camueller

      I'm using a custom login module which in turn uses an EJB to verify username/password. However, this EJB is part of a security domain, since it also provides methods relying on an authenticated principal.

      Calls from an standalone Java application to various EJBs being part of the security domain are authenticated and authorized properly. From this I would conclude, that the login module is allowed to call methods of an EJB belonging to a non-default security domain. Occasionally (5 out of 80.000 calls) it happens, that JBoss realizes that the EJB belongs to a security domain and therefore tries to authenticate it using a login module, calling the EJB again, intercepted again ... . This recursion continues until a stack overflow occurs. From this behaviour I would conclude that it is not possible to call an EJB being part of a non-default security domain from a login module.

      One of the behaviours must be wrong since it is inconsistent, but which one?

      Is there a parameter I may/need to set in order to allow login module to call EJBs even if they are part of a non-default security domain?

      In the Documentation/Wiki I read that the security domain can only be defined on JAR level. Therefore I cannot exclude those methods from the security domain used by the login module. Splitting the JAR and/or EJB is also not an option for me.

      BTW: I'm using JBoss 4.0.4GA.

      Axel

        • 1. Re: Custum LoginModule calling EJB in non-default security d
          kaloisi


          Not sure if I understand exactly your problem but I have a LoginModule access a secured EJB. I used RunAsLoginModule as an example.

          The problem is that JBoss has a stack containing principals and credentials. When a login module is called this stack is empty so if your LoginModule tries to acces a EJB the security intercepter tries to re-login and you end up in an infinite loop. At the beinging of you login() method you need to push the role that is defined in your jboss.xml. This way when the security intecrept is applied it will find the correct role and let the access through.

          http://docs.jboss.org/jbossas/javadoc/4.0.5/security/org/jboss/security/auth/spi/RunAsLoginModule.html

          --kevin

          • 2. Re: Custum LoginModule calling EJB in non-default security d
            camueller

            In order to have login() push the roles defined in jboss.xml I need to retrieve them from a secured EJB. Kind of hen-and-egg problem ...

            Any idea?

            • 3. Re: Custum LoginModule calling EJB in non-default security d
              starksm64

              A login module in domain1 cannot call a secured ejb in domain1. You can specify the security domain at the bean level using the container-configuration setup of jboss.xml:

              <jboss>
               <enterprise-beans>
               <entity>
               <ejb-name>AuditMappedEJB</ejb-name>
               <local-jndi-name>cmp2/audit/AuditMapped</local-jndi-name>
               <configuration-name>Secured CMP 2.x EnitityBean</configuration-name>
               </entity>
               </enterprise-beans>
              
               <container-configurations>
               <container-configuration extends="Standard CMP 2.x EntityBean">
               <container-name>Secured CMP 2.x EnitityBean</container-name>
               <security-domain>java:/jaas/other</security-domain>
               </container-configuration>
               </container-configurations>
              </jboss>