7 Replies Latest reply on Feb 4, 2009 4:30 PM by apph_

    JBoss 5 authentication / authorization problem

    apph_

      Hello,

      I'm having problems integrating JBoss 5 authentication / authorization in my application. I'm using EJB3, JSF 2 (but it's maven project, so actually JBoss JSF implementation is used) + Facelets.

      The configuration is as follows:

      1. First i've added jboss-web.xml to my WEB-INF directory. File content looks like this:

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
      <jboss-web>
       <security-domain>java:/jaas/toy-shop-realm</security-domain>
      </jboss-web>
      


      2. I have added security domain configuration to login-config.xml located in JBOSS_INSTALL_DIR\server\default\conf\ like this:
       <application-policy name="toy-shop-realm">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
       <module-option name="usersProperties">props/toy-shop-users.properties</module-option>
       <module-option name="rolesProperties">props/toy-shop-roles.properties</module-option>
       <module-option name="securityDomain">java:/jaas/toy-shop-realm</module-option>
       </login-module>
       </authentication>
       </application-policy>
      

      As you can see there are two files: toy-shop-users.properties and toy-shop-roles.properties in JBOSS_INSTALL_DIR\server\default\conf\props\ directory.

      toy-shop-users.properties content is as simple as:
      admin=admin
      user=user

      and toy-shop-roles.properties:
      admin=admin
      user=user

      3. I have defined URL addresses security in web.xml in WEB-INF directory:
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>all</web-resource-name>
       <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>user</role-name>
       </auth-constraint>
       </security-constraint>
      
       <security-role>
       <role-name>admin</role-name>
       </security-role>
       <security-role>
       <role-name>user</role-name>
       </security-role>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      

      The login.jsp page simply uses j_security_check for authentication.

      4. And finally some security annotation in EJB bean:
      @SecurityDomain("toy-shop-realm")
      @RolesAllowed({"admin", "user"})
      @Stateless
      public class PaymentLogic implements PaymentContract {
      
       @EJB(mappedName="PaymentJpaDao/local")
       private PaymentDao paymentDao;
      
       @RolesAllowed({"admin"})
       public List<Payment> getActivePayments() {
       return paymentDao.getActivePayments();
       }
      }
      


      PaymentContract is simple interface with one method and no annotations.
      PaymentJpaDao is defined as Stateless bean.

      Now, when i start the application it requires authentication. If i provide non-defined user name i will not go through. If it's 'user' or 'admin' defined in properties file it is ok. But it looks like security annotations are completely ignored. Everybody can invoke getActivePayments method. Web application is tested as war (will be packed as ear in future) and it uses another library with defined EJB's (PaymentLogic, PaymentJpaDao, etc.). Now if i add jboss.xml file to META-INF directory of this library:
      <jboss>
       <security-domain>toy-shop-realm</security-domain>
      </jboss>
      

      then when i invoke getActivePayments logged as 'user' i'll get EJBAccessException: Caller unauthorized. This is great. But when i invoke it as 'admin', i'll get the 403 error - access denied. If I add <role-name>admin</role-name> in <auth-constraint> in web.xml i'll also get EJBAccessException: Caller unauthorized for 'admin' login.

      What am i missing?

      Thx for any help.

        • 1. Re: JBoss 5 authentication / authorization problem
          wolfgangknauf

          Hi,

          one detail: your "jboss-web.xml" declares the wrong ID:

          <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

          should be:
          <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"


          As I fear that this does not change anything: did you try to activate logging of the security layer (see security FAQ post in this forum, question 4)? Maybe this provides you with a more detailed error, e.g. about invalid config.

          Hope this helps

          Wolfgang

          • 2. Re: JBoss 5 authentication / authorization problem
            apph_

            Hi Wolfgang,

            Still the same problem with the correct ID.

            "Wolfgang Knauf" wrote:
            Hi,
            did you try to activate logging of the security layer?


            Yes I did. But i don't see any errors related to these packages: org.apache.catalina, org.jboss.web.tomcat.security and org.jboss.security.

            The only warning (or maybe that's not even warning but trace):
            TRACE [SecurityAssociation][org.jboss.security.SecurityAssociation] WARN::Deprecated usage of SecurityAssociation. Use SecurityContext

            Appreciate your help.

            • 3. Re: JBoss 5 authentication / authorization problem
              wolfgangknauf

              Hi,

              I have to admit I don't have much more ideas on this.

              My own security example is packaged in one single EAR and works, so I would advice you to give this a try (EJB jar and web war in one EAR).

              The strange thing is that the "jboss.xml" approach at least seems to perform a login, but the annotation approach does not work.

              Could you post your full jboss.xml? Your snippet does not contain a doctype declaration, maybe this confuses jboss. It should be:

              <?xml version="1.0" encoding="UTF-8"?>
              <!DOCTYPE jboss PUBLIC
               "-//JBoss//DTD JBOSS 5.0//EN"
               "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
              
              <jboss>
               <security-domain>toy-shop-realm</security-domain>
              </jboss>


              For the annotation approach: I know that there are two "SecurityDomain" annotations in the JBoss package: org.jboss.ejb3.annotation.SecurityDomain (the right one) and org.jboss.aspects.security.SecurityDomain (this one does not do anything). Could you check whether you picked the right one?

              Does the security logging tell you that it uses your properties file and can verify login/password?
              The "Logging" chapter from the security FAQ is slightly outdated, please see http://www.jboss.com/index.html?module=bb&op=viewtopic&t=148747#4203604 for an up-to-date config.

              If this does not help: you could mail me your sample.

              Wolfgang

              • 4. Re: JBoss 5 authentication / authorization problem
                jaikiran

                To add to what Wolfgang has adviced -

                Two things:

                1)

                "apph_" wrote:
                But it looks like security annotations are completely ignored.


                What does your import statement look like in the EJB. I am mainly interested in the @SecurityDomain import:

                @SecurityDomain("toy-shop-realm")


                In JBoss5, the import should be:

                import org.jboss.ejb3.annotation.SecurityDomain;


                2)
                "apph_" wrote:
                But when i invoke it as 'admin', i'll get the 403 error - access denied.If I add <role-name>admin</role-name> in <auth-constraint> in web.xml i'll also get EJBAccessException: Caller unauthorized for 'admin' login.


                Can you post the entire exception stacktrace?

                • 5. Re: JBoss 5 authentication / authorization problem
                  apph_

                   

                  "Wolfgang Knauf" wrote:

                  My own security example is packaged in one single EAR and works, so I would advice you to give this a try (EJB jar and web war in one EAR).


                  Yep, I've tried by I'm getting the following errors:
                  WARN [AbstractDeploymentContext][org.jboss.deployers.structure.spi.helpers.AbstractDeploymentContext] Unable to register deployment mbean org.jboss.metadata.jpa.spec.PersistenceUnitMetaData.toy-shop-model
                  javax.management.InstanceAlreadyExistsException: jboss.deployment:id="org.jboss.metadata.jpa.spec.PersistenceUnitMetaData.toy-shop-model",type=Component already registered.
                   at org.jboss.mx.server.registry.BasicMBeanRegistry.add(BasicMBeanRegistry.java:767)
                   at org.jboss.mx.server.registry.BasicMBeanRegistry.registerMBean(BasicMBeanRegistry.java:236)
                   at sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source)
                   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                   at java.lang.reflect.Method.invoke(Unknown Source)
                   at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
                   at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
                   at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:138)
                   at org.jboss.mx.server.Invocation.invoke(Invocation.java:90)
                   at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:140)
                   at org.jboss.mx.server.Invocation.invoke(Invocation.java:90)
                   at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
                   at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
                   at org.jboss.mx.server.MBeanServerImpl$3.run(MBeanServerImpl.java:1431)
                   at java.security.AccessController.doPrivileged(Native Method)
                   at org.jboss.mx.server.MBeanServerImpl.registerMBean(MBeanServerImpl.java:1426)
                   at org.jboss.mx.server.MBeanServerImpl.registerMBean(MBeanServerImpl.java:376)
                   at org.jboss.deployers.structure.spi.helpers.AbstractDeploymentContext.registerMBeans(AbstractDeploymentContext.java:989)
                   at org.jboss.deployers.structure.spi.helpers.AbstractDeploymentContext.addComponent(AbstractDeploymentContext.java:719)
                   at org.jboss.deployers.structure.spi.helpers.AbstractDeploymentUnit.addComponent(AbstractDeploymentUnit.java:249)
                   at org.jboss.jpa.deployers.AbstractDeploymentVisitor.addComponent(AbstractDeploymentVisitor.java:49)
                   at org.jboss.jpa.deployers.AbstractDeploymentVisitor.deploy(AbstractDeploymentVisitor.java:64)
                   at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployerWithInput.deploy(AbstractRealDeployerWithInput.java:125)
                   at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployerWithInput.internalDeploy(AbstractRealDeployerWithInput.java:102)
                   at org.jboss.deployers.spi.deployer.helpers.AbstractComponentDeployer.internalDeploy(AbstractComponentDeployer.java:78)
                   at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:50)
                   at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:171)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1439)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1157)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1210)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1098)
                   at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
                   at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1598)
                   at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)
                   at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1062)
                   at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)
                   at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)
                   at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:781)
                   at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:545)
                   at org.jboss.system.server.profileservice.ProfileServiceBootstrap.loadProfile(ProfileServiceBootstrap.java:304)
                   at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:205)
                   at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:405)
                   at org.jboss.Main.boot(Main.java:209)
                   at org.jboss.Main$1.run(Main.java:547)
                   at java.lang.Thread.run(Unknown Source)
                  


                  I've already experienced this problem while deploying ear. It occured where there was more than one persistence.xml file with the same persistence unit name (toy-shop-model in my case). But now it's not the case, I think.

                  Also the following error:
                  ERROR [AbstractKernelController][org.jboss.dependency.plugins.AbstractController] Error installing to Start: name=persistence.unit:unitName=toy-shop-ear-0.0.1.ear/toy-shop-web-0.0.1.war#toy-shop-model state=Create
                  java.lang.RuntimeException: Specification violation [EJB3 JPA 6.2.1.2] - You have not defined a non-jta-data-source for a RESOURCE_LOCAL enabled persistence context named: toy-shop-model
                   at org.jboss.jpa.deployment.PersistenceUnitInfoImpl.<init>(PersistenceUnitInfoImpl.java:124)
                   at org.jboss.jpa.deployment.PersistenceUnitDeployment.start(PersistenceUnitDeployment.java:285)
                   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                   at java.lang.reflect.Method.invoke(Unknown Source)
                   at org.jboss.reflect.plugins.introspection.ReflectionUtils.invoke(ReflectionUtils.java:59)
                   at org.jboss.reflect.plugins.introspection.ReflectMethodInfoImpl.invoke(ReflectMethodInfoImpl.java:150)
                   at org.jboss.joinpoint.plugins.BasicMethodJoinPoint.dispatch(BasicMethodJoinPoint.java:66)
                   at org.jboss.kernel.plugins.dependency.KernelControllerContextAction$JoinpointDispatchWrapper.execute(KernelControllerContextAction.java:241)
                   at org.jboss.kernel.plugins.dependency.ExecutionWrapper.execute(ExecutionWrapper.java:47)
                   at org.jboss.kernel.plugins.dependency.KernelControllerContextAction.dispatchExecutionWrapper(KernelControllerContextAction.java:109)
                   at org.jboss.kernel.plugins.dependency.KernelControllerContextAction.dispatchJoinPoint(KernelControllerContextAction.java:70)
                   at org.jboss.kernel.plugins.dependency.LifecycleAction.installActionInternal(LifecycleAction.java:221)
                   at org.jboss.kernel.plugins.dependency.InstallsAwareAction.installAction(InstallsAwareAction.java:54)
                   at org.jboss.kernel.plugins.dependency.InstallsAwareAction.installAction(InstallsAwareAction.java:42)
                   at org.jboss.dependency.plugins.action.SimpleControllerContextAction.simpleInstallAction(SimpleControllerContextAction.java:62)
                   at org.jboss.dependency.plugins.action.AccessControllerContextAction.install(AccessControllerContextAction.java:71)
                   at org.jboss.dependency.plugins.AbstractControllerContextActions.install(AbstractControllerContextActions.java:51)
                   at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
                   at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1598)
                   at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)
                   at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1062)
                   at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)
                   at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:774)
                   at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:540)
                   at org.jboss.deployers.vfs.deployer.kernel.BeanMetaDataDeployer.deploy(BeanMetaDataDeployer.java:121)
                   at org.jboss.deployers.vfs.deployer.kernel.BeanMetaDataDeployer.deploy(BeanMetaDataDeployer.java:51)
                   at org.jboss.deployers.spi.deployer.helpers.AbstractSimpleRealDeployer.internalDeploy(AbstractSimpleRealDeployer.java:62)
                   at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:50)
                   at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:171)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1439)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1157)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1178)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1210)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1098)
                   at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
                   at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1598)
                   at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)
                   at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1062)
                   at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)
                   at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)
                   at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)
                   at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:781)
                   at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:545)
                   at org.jboss.system.server.profileservice.ProfileServiceBootstrap.loadProfile(ProfileServiceBootstrap.java:304)
                   at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:205)
                   at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:405)
                   at org.jboss.Main.boot(Main.java:209)
                   at org.jboss.Main$1.run(Main.java:547)
                   at java.lang.Thread.run(Unknown Source)


                  I also got this error earlier but i'm currently not using RESOURCE_LOCAL but JTA.

                  "Wolfgang Knauf" wrote:

                  Could you post your full jboss.xml? Your snippet does not contain a doctype declaration, maybe this confuses jboss. It should be:
                  <?xml version="1.0" encoding="UTF-8"?>
                  <!DOCTYPE jboss PUBLIC
                   "-//JBoss//DTD JBOSS 5.0//EN"
                   "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
                  
                  <jboss>
                   <security-domain>toy-shop-realm</security-domain>
                  </jboss>



                  Yes, my jboss.xml did not declared DOCTYPE. Now it's exactly as above.


                  "Wolfgang Knauf" wrote:

                  For the annotation approach: I know that there are two "SecurityDomain" annotations in the JBoss package: org.jboss.ejb3.annotation.SecurityDomain (the right one) and org.jboss.aspects.security.SecurityDomain (this one does not do anything). Could you check whether you picked the right one?


                  Yep, I've seen that there is another annotation class. I'm using this class:
                  import org.jboss.annotation.security.SecurityDomain

                  but I see now it has been moved to:
                  org.jboss.ejb3.annotation.SecurityDomain




                  • 6. Re: JBoss 5 authentication / authorization problem
                    apph_

                     

                    "jaikiran" wrote:
                    I am mainly interested in the @SecurityDomain import:

                    It was import org.jboss.annotation.security.SecurityDomain.

                    "jaikiran" wrote:

                    Can you post the entire exception stacktrace?


                    Here it is:

                    javax.el.ELException: /dataTest.xhtml @11,72 value="#{paymentService.activePayments}": Error reading 'activePayments' on type services.PaymentService
                     com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76)
                     javax.faces.component.UIData.getValue(UIData.java:609)
                     javax.faces.component.UIData.getDataModel(UIData.java:1124)
                     javax.faces.component.UIData.setRowIndex(UIData.java:451)
                     com.sun.faces.renderkit.html_basic.TableRenderer.encodeBegin(TableRenderer.java:77)
                     javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813)
                     javax.faces.component.UIData.encodeBegin(UIData.java:962)
                     javax.faces.component.UIComponent.encodeAll(UIComponent.java:928)
                     javax.faces.render.Renderer.encodeChildren(Renderer.java:148)
                     javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)
                     javax.faces.component.UIComponent.encodeAll(UIComponent.java:930)
                     javax.faces.component.UIComponent.encodeAll(UIComponent.java:933)
                     com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592)
                     com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110)
                     com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
                     com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
                     javax.faces.webapp.FacesServlet.service(FacesServlet.java:266)
                     org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                    
                    root cause
                    
                    javax.ejb.EJBAccessException: Invalid User
                     org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:137)
                     org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                     org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                     org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                     org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
                     org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                     org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:65)
                     org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                     org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                     org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                     org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:219)
                     org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase.invoke(ProxyInvocationHandlerBase.java:261)
                     org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:101)
                     $Proxy245.getActivePayments(Unknown Source)
                     services.PaymentService.getActivePayments(PaymentService.java:17)
                     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                     sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                     sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                     java.lang.reflect.Method.invoke(Unknown Source)
                     javax.el.BeanELResolver.getValue(BeanELResolver.java:62)
                     javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53)
                     com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
                     org.apache.el.parser.AstValue.getValue(AstValue.java:118)
                     org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
                     com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
                     javax.faces.component.UIData.getValue(UIData.java:609)
                     javax.faces.component.UIData.getDataModel(UIData.java:1124)
                     javax.faces.component.UIData.setRowIndex(UIData.java:451)
                     com.sun.faces.renderkit.html_basic.TableRenderer.encodeBegin(TableRenderer.java:77)
                     javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813)
                     javax.faces.component.UIData.encodeBegin(UIData.java:962)
                     javax.faces.component.UIComponent.encodeAll(UIComponent.java:928)
                     javax.faces.render.Renderer.encodeChildren(Renderer.java:148)
                     javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)
                     javax.faces.component.UIComponent.encodeAll(UIComponent.java:930)
                     javax.faces.component.UIComponent.encodeAll(UIComponent.java:933)
                     com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592)
                     com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110)
                     com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
                     com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
                     javax.faces.webapp.FacesServlet.service(FacesServlet.java:266)
                     org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                    
                    


                    • 7. Re: JBoss 5 authentication / authorization problem
                      apph_

                      Ok guys, it works now. There problem is I don't really know what was wrong.
                      List of changes I've made:
                      - added DOCTYPE to jboss.xml as Wolfgang suggested (but this didn't seemed to solve the problem)
                      - changed SecurityDomain to use org.jboss.ejb3.annotation. But it also works now with org.jboss.annotation.security.SecurityDomain.
                      - moved toy-shop-users.properties and toy-shop-roles.properties files from props dir to WEB-INF

                      Anyway big thx for you Wolfgang and jaikiran for your help.