Simple JAAS authentication not working....
j0llyr0g3r Jun 9, 2008 11:17 AMHey folks,
i am really becoming desperate with Jboss + JAAS.
I have a very simple RMI client which connects to a Stateless Session Bean running within a Jboss 4.2.
This scenario works perfectly well. Now i want to secure access to my EJB by allowing only authenticated clients to call the EJB's method.
Based on the official documentation: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
i started out with the most simple authentication possible using UsersRolesLoginModule as login module:
* Create the file users.properties in the ejb-jar subproject under the directory META-INF:
admin=secretadminpassword user=secretuserpassword
* Create the file roles.properties in the ejb-jar subproject under the directory META-INF:
admin=adminRole user=userRole
* Add a ejb-jar.xml to the ejb-jar subproject under the directory META-INF:
<ejb-jar> <assembly-descriptor> <security-role> <description>admin: only allowed users</description> <role-name>adminRole</role-name> </security-role> <security-role> <description>users: the rest</description> <role-name>userRole</role-name> </security-role> <method-permission> <role-name>admin</role-name> <method> <ejb-name>SendCommand</ejb-name> <method-name>*</method-name> </method> </method-permission> </assembly-descriptor> </ejb-jar>
* Add the file jboss.xml under the directory /$PROJECT-ROOT/META-INF
<jboss> <security-domain>java:/jaas/esf</security-domain> <enterprise-beans> <session> <ejb-name>SendCommand</ejb-name> <jndi-name>SendCommand</jndi-name> </session> </enterprise-beans> </jboss>
* Adjust the file login-config.xml under the directory $JBOSS_HOME/server/$PROFILE/conf/
<application-policy name = "esf"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> </authentication> </application-policy>
So far, so good....
If i rebuild my application and inspect the EAR's content, i see all the expected files there, meaning jboss.xml, user.properties etc....
But: I can still connect with my RMI-client to my EJB even without giving credentials at all!
No error messages, no exceptions....
Any ideas what went wrong here?
Is there a way to check what Jboss sees as a security domain?
P.S.: Jaas may be great due to its modularity, but it is horrible, unbelievably horrible to configure for a Jaas-beginner. This is an utter catastrophy, how long do i have to study Jaas to get a simple authentication working?