2 Replies Latest reply on May 28, 2009 10:18 AM by anonym54321

    unauthorized-principal not applied

    anonym54321 May 27, 2009 9:02 AM

      Hi...

      I'm quite new to JBoss and JEE and tried to realize a very simple webshop to become familiar with both topics. The application is an EAR, containing a WAR and an EJB-part.
      When I try to add security by adding the security-domain "java:jaas/webshop" to the WAR's jboss-web.xml and "webshop" to EJB's jboss.xml[1] after defining the application-policy "webshop" in conf/login-config.xml, I can't call any (unprotected! no method-permission in ejb-jar.xml) EJBs anymore. If I try, I get an SecurityException, because the principal is null.
      I expected the principal for unauthenticated users to be equal to unauthenticated-principal in conf/standardjboss.xml, but it seems, this is never applied.

      Can anybody explain me, how I can use this unauthenticated-principal or how to access my (unprotected) EJB's without discarding the security-domain?

      Stefan (after hours of googling)


      [1]: Using "java:jaas/webshop" in jboss.xml causes a ClassCastException because "JaasSecurityManager cannot be cast to SecurityDomainContext". In https://jira.jboss.org/jira/browse/JBAS-4022 Erica Kane suggested to leave the prefix out.

      • 623 Views
      • Tags:
        • 1. Re: unauthorized-principal not applied
          anonym54321 May 27, 2009 9:38 AM (in response to anonym54321)

          I forgot something: I have to use EJB 2.1, so I can't use these nice annotations.

            • Actions
          • 2. Re: unauthorized-principal not applied
            anonym54321 May 28, 2009 10:18 AM (in response to anonym54321)

            Ok, finally I managed to work around this issue. I just removed the security-context away from the EJB's jboss.xml. Looks like just using the name of the application-policy as mentioned in [1] isn't the right way...

            But after this, I had a different (but possibly related?) problem. Instead of showing the login-dialog, I get an IllegalStateException on the console complaining about "Authorization Manager is null".
            If I remove the security-context from the jboss-web.xml, the dialog appears, but I didn't found a way to specify the correct login-configuration defined in conf/login-config.xml.

            A very basic example:
            WEB-INF/jboss-web.xml:

            <jboss-web>
 <security-domain>java:jaas/other</security-domain>
 <context-root>helloworld</context-root>
</jboss-web>


            WEB-INF/web.xml: 
            <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
 <display-name>HelloWorldWeb</display-name>
 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Everything</web-resource-name>
 <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>somebody</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Some Realm</realm-name></login-config>
 <security-role>
 <role-name>somebody</role-name>
 </security-role>
</web-app>


            index.html: 
            <html><body>Hello World</body></html>


              • Actions