Hi,

I desperately try to enable security on EJB3 session beans called from Seam components, but I can't find how to do this. When I try to call EJB3 session bean, I have a "Authentication failure" error. It's hard to find clear documentations about this on the web, so I hope someone will help me here ... Note I just want to authenticate for the moment, I don't want to use roles based authorization because it won't be enough for my needs.

My app is an EAR with two jars :
- one with EJB3 session beans
- one with Seam components (EJB3, not pojos)
The problem appears when I call secured EJB3 session beans from a Seam component.

Here is what I did for the moment :

In my EJB3 session beans jar :

One example of a EJB3 session bean ...

META-INF/jboss.xml :

<session>
 <ejb-name>ServiceBaseEmployeBean</ejb-name>
 <security-domain>t4Seam</security-domain>
</session>

META-INF/ejb-jar.xml :

<session>
 <description>
 <![CDATA[

 ]]>
 </description>
 <ejb-name>ServiceBaseEmployeBean</ejb-name>
 <remote>t4.core.employe.facade.ServiceBaseEmployeRemote</remote>
 <local>t4.core.employe.facade.ServiceBaseEmployeLocal</local>
 <ejb-class>t4.core.employe.facade.ServiceBaseEmployeBean</ejb-class>
 <session-type>Stateless</session-type>
 <transaction-type>Container</transaction-type>
</session>

In the EAR :

META-INF/jboss-app.xml :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-app
 PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN"
 "http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
<jboss-app>
 <module>
 <service>META-INF/t4Seam-login-service.xml</service>
 </module>
</jboss-app>

META-INF/t4Seam-login-service.xml :

<?xml version="1.0" encoding="UTF-8"?>
<server>
 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="t4Seam:service=DynamicLoginConfig">
 <attribute name="AuthConfig">META-INF/t4Seam-login-config.xml</attribute>
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>
</server>

META-INF/t4Seam-login-config.xml :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
 "http://www.jboss.org/j2ee/dtd/security_config.dtd">
<policy>
 <application-policy name="t4Seam">
 <authentication>
 <login-module code="org.jboss.seam.security.jaas.SeamLoginModule" flag="required">
 </login-module>
 <login-module code="org.jboss.security.ClientLoginModule" flag="required">
 <module-option name="restore-login-identity">true</module-option>
 <module-option name="multi-threaded">false</module-option>
 </login-module>
 </authentication>
 </application-policy>
</policy>

In Seam components JAR :

META-INF/components.xml :

<security:identity
 authenticate-method="#{authenticator.authenticate}"
 jaas-config-name="t4Seam" />

My Seam authenticate method (there is no security on compteUtilisateurDao EJB) :

@javax.ejb.EJB
private CompteUtilisateurDao compteUtilisateurDao;

public boolean authenticate()
 throws java.lang.Exception
{
 String username = Identity.instance().getUsername();
 String password = Identity.instance().getPassword();
 CompteUtilisateur utilisateur = compteUtilisateurDao.findByUsernameAndPassword(username, password);
 return (utilisateur != null);
}

And the code calling the EJB3 session bean from a Seam component :

@javax.ejb.EJB protected ServiceBaseEmployeLocal serviceEmploye;

@javax.ejb.TransactionAttribute(javax.ejb.TransactionAttributeType.REQUIRES_NEW)
@org.jboss.seam.annotations.Factory(value = "employes")
@org.jboss.seam.annotations.Observer("employeUpdated")
public void getEmployes() throws java.lang.Exception
{
 this.employes = this.serviceEmploye.loadAllEmployes();
}

What I saw in traces is that both SeamLoginModule and ClientLoginModule are called and run OK. But it looks like the JAAS subject is not propagated to EJB layer, while it is (for what I understood) the goal of ClientLoginModule.

Anyone has an idea what I do wrong ? Maybe I forgot some config files or misunderstood something with JBoss Security ?

Thanks in advance,

Olivier