-
1. Re: ejb not validating user role at session bean methods + J
wolfgangknauf Oct 21, 2009 4:38 AM (in response to akhilachuthan)Hi,
do you have "@RolesAllowed" annotations on your bean class? Post the snippets of bean declarations and the relevant XML file parts.
You might activate logging of the security layer (see sticky post "FAQ", question 4) to check whether your login config is working as expected.
Best regards
Wolfgang -
2. Re: ejb not validating user role at session bean methods + J
akhilachuthan Oct 21, 2009 7:13 AM (in response to akhilachuthan)I configured my log4j with the details, but did not receive any log of concern..
---------------------------------------------------------------------------------
My login-config.xml snippet is given below
<application-policy name = "SecurityPolicy">
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
<module-option name="unauthenticatedIdentity">defaultuser</module-option>
<!-- Any existing security context will be restored on logout -->
<module-option name="restore-login-identity">true</module-option>
</login-module>
<login-module code="com.temp.component.security.LoginCheck" flag = "required">
<module-option name="unauthenticatedIdentity">defaultuser</module-option>
<!-- Any existing security context will be restored on logout -->
<module-option name="restore-login-identity">true</module-option>
</login-module>
</application-policy>
---------------------------------------------------------------------------------
content of the jboss.xml within my ear
<security-domain>java:/jaas/SecurityPolicy</security-domain>
---------------------------------------------------------------------------------
content of the jboss-web.xml in the war file within my ear
<jboss-web>
<security-domain flushOnSessionInvalidation="true">java:/jaas/SecurityPolicy</security-domain>
</jboss-web>
---------------------------------------------------------------------------------
I have defined the role as @RolesAllowed("WRONG_ROLE__FOR_FAILURE") for my ejb session bean method. There is no such role, but still i can access the method.. -
3. Re: ejb not validating user role at session bean methods + J
akhilachuthan Oct 22, 2009 8:08 AM (in response to akhilachuthan)Got it.. my mistake....
There was no jboss.xml within the ejb's META-INF. Instead i had places it in the META-INF of the containing ear file...
Now.. my application uses only a single security domain for all the ejb's and i have a multi jar setup within the ear. Is there any way by which i define something at the ear level to avoid having a similar jboss.xml in all my ejb jars? -
4. Re: ejb not validating user role at session bean methods + J
wolfgangknauf Oct 22, 2009 10:45 AM (in response to akhilachuthan)Hi,
JBoss 5 allows this by adding a "jboss-app.xml" to META-INF of your EAR:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd"> <jboss-app> <security-domain>mysecuritydomain</security-domain> </jboss-app>
Best regards
Wolfgang -
5. Re: ejb not validating user role at session bean methods + J
akhilachuthan Oct 26, 2009 2:53 AM (in response to akhilachuthan)That works great....
Thanks Wolfgang