Arrggh! JAAS Policy File with JBOSS - Please Help!
jgilmore Dec 11, 2007 10:59 AMMy application security runs great in Tomcat but when I run it in JBoss it doesn't work.
I have deployed a DynamicLoginConfig MBean to specify the location of my custom login-config.xml:
jboss-service.xml:
<server> <!-- JG: Added this mbean so that jboss will look first in META-INF for the login config before looking in the config directory of the jboss root--> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig"> <attribute name="AuthConfig">META-INF/jboss-login-config.xml</attribute> <!-- The service which supports dynamic processing of login-config.xml configurations. --> <depends optional-attribute-name="LoginConfigService"> jboss.security:service=XMLLoginConfig </depends> <!-- Optionally specify the security mgr service to use when this service is stopped to flush the auth caches of the domains registered by this service. --> <depends optional-attribute-name="SecurityManagerService"> jboss.security:service=JaasSecurityManager </depends> </mbean> </server>
Where jboss-login-config.xml looks like this:
<policy> <application-policy name="CustomerAdmin"> <authentication> <login-module code="com.ftid.custadmin.security.HibernateLoginModule" flag="required"> <module-option name="policy">META-INF/ClientAdmin.policy</module-option> </login-module> </authentication> </application-policy> </policy>
This works great, when logging into my application on JBoss my custom HibernateLoginModule class is called. However, I have a JAAS Policy file that looks like this..
grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" { permission com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*"; permission com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*"; }; grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" { permission com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*"; }; etc.
How do I get the JBoss SecurityManager to read this JAAS policy file??
In tomcat I simply had to do the following which works very well:
System.setProperty("java.security.auth.login.config", sc.getRealPath("/WEB-INF/jaas.properties")); System.setProperty("java.security.auth.policy", sc.getRealPath("/WEB-INF/ClientAdmin.policy")); SecurityManager sm = System.getSecurityManager(); . . . Permission perm = new ViewIdPermission("/client/clientEdit"); sm.checkPermission(perm);
When this code runs in JBoss an AccessControlException is thrown. It seems that JBoss creates it's own SecurityManager that hasn't been set up using my Policy file.
HOW DO I GET JBOSS TO READ MY POLICY FILE ?? Please Help!!