2 Replies Latest reply on Nov 19, 2009 6:16 AM by mwx.dennis

    Exclude EJB from global SecurityDomain?

      Hi everyone,

      in my EJB application I have defined a global security-domain in the jboss.xml file.

      I use a custom LoginModule which accesses my UserService EJB during the login process. My problem is, I get an infinite login loop because when I access the UserService (which is in the global security-domain too) the LoginModule jumps in again to login the user.

      I guess the solution would be to exclude the UserService from my global security domain. Is this possible at all?

      Any hints would be greatly appreciated.
      There is a similar issue here:
      http://www.jboss.org/index.html?module=bb&op=viewtopic&t=137896

      Regards,
      Dennis

        • 1. Re: Exclude EJB from global SecurityDomain?
          wolfgangknauf

          Hi Dennis,

          I don't know whether this is possible, but there are two things I would try:

          1) take a look at the "@PermitAll" annotation for the ejb methods (or the "unchecked" element in "ejb-jar.xml").
          2) There is a "@RunAs" annotation, but probably this also invokes your login module.

          Hope that one of them helps.

          Wolfgang

          • 2. Re: Exclude EJB from global SecurityDomain?

            Hi Wolfgang,

            Thanks for your hints. However, as you suspected, these settings still require previous authentication.

            I believe the best workaround would be to create a separate EJB module for the UserService so it can have a default security domain different from the one used in the rest of the application.

            The only other solution that comes to my mind is to completely remove the default security domain and use bean level annotations. The risk of forgetting to add them to new beans is high so I'll go for the two module approach.

            Dennis