"Marcos_APS" wrote:
Yes. My EJBs are secured. I'm using EJB3, JPA 1.0, JSF 1.2. Yes, I'm using jboss.xml.
Jaikiran, look at the first post when I started this discussion. Almost all my files (including jboss.xml) are there.
I did check your first post, but it doesn't have the jboss.xml :)
Its been a long time since i last tried my sample application to access a secure bean. I decided to give it a try with EJB3 beans:
@Stateless
@Remote( { UserManagerRemote.class })
@Local (UserManagerLocal.class)
@RemoteBinding(jndiBinding = "RemoteUserManagerBean")
@SecurityDomain (value="other")
public class UserManagerBean implements UserManagerLocal, UserManagerRemote {
/**
* Instance of logger
*/
private static Logger logger = Logger.getLogger(UserManagerBean.class);
/**
*
*
*/
public UserManagerBean() {
System.out.println("Default constructor of UserManagerBean " + this);
}
@RolesAllowed (value="admin")
public User getUser(long id) {
System.out.println("Bean method successfully called");
// do something
return user;
}
}
I decided to use annotations (@SecurityDomain and @RolesAllowed) to secure the bean. Using jboss.xml is an alternative.
The method getUser is allowed to be accessed only by users belonging to "admin" role. The security-domain "other" is configured in login-config.xml to use a users.properties and a roles.properties for authentication and authorization:
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</authentication>
</application-policy>
These are my users.properties and roles.properties in the EAR:
users.properties:
jaikiran=jaikiran
dummy=dummy
roles.properties: jaikiran=admin
dummy=normaluser
The client uses the org.jboss.security.ClientLoginModule as mentioned in the blog. Now let's try with various user/password combinations and see what happens:
1) Incorrect user name and password:
String userName = "notanuser";
String password = "notanuser";
MyCallbackHandler handler = new MyCallbackHandler(userName,password);
lc = new LoginContext("someXYZLogin",handler);
lc.login();
System.out.println("Successfully logged in user: " + userName);
Context ctx = new InitialContext();
UserManagerRemote userManager = (UserManagerRemote) ctx.lookup("RemoteUserManagerBean");
System.out.println("Got the usermanager bean");
User user = userManager.getUser((long) 1);
The lc.login succeeds on the client side and the non-existent "notanuser" is logged in.. However, when the call to userManager.getUser is done, another round of authentication (and authorization) is done
on the server side. This time with the "other" login module which is configured on the bean. At this point the login fails and an AuthenticationException is thrown:
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] Begin isValid, principal:notanuser, cache info: null
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, principal=notanuser
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=8
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@4020218
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: other
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties, defaults=null
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties, defaults=null
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=notanuser
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, false
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.ejb3.security.Ejb3AuthenticationInterceptor] Authentication failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.remoting.transport.socket.ServerThread] SocketServerInvoker[223.1.1.128:3873].invoke() call failed
javax.ejb.EJBAccessException: Authentication failure
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
2) Let's now try with an existing user, but one who does not have rights to access the bean method. Again the login succeeds on the client side and the user/password information is passed on to the server while accessing the bean method. Another round of authentication starts on the server when the method is accessed. The login succeeds on the server side too, because the user/password are existing valid ones. However, since the user does
not have rights to access the method, an AuthorizationException is thrown:
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] Begin isValid, principal:dummy, cache info: null
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, principal=dummy
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=8
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@7641571
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: other
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties, defaults=null
2008-07-05 15:50:51,140 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties, defaults=null
2008-07-05 15:50:51,140 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'dummy' authenticated, loginOk=true
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Checking user: jaikiran, roles string: admin
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Checking user: dummy, roles string: normaluser
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Adding to Roles: normaluser
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, lc=javax.security.auth.login.LoginContext@650be6, subject=Subject(32516939).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser))
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] updateCache, inputSubject=Subject(32516939).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser)), cacheSubject=Subject(11160568).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser))
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@61b548[Subject(11160568).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser)),credential.class=[C@9519074,expirationTime=1215255040046]
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, true
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: dummy
Principal: Roles(members:normaluser)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getPrincipal, principal=dummy
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] doesUserHaveRole(Set), subject: Subject:
Principal: dummy
Principal: Roles(members:normaluser)
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] roles=Roles(members:normaluser)
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] hasRole(admin)=false
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] hasRole=false
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] getUserRoles, subject: Subject:
Principal: dummy
Principal: Roles(members:normaluser)
2008-07-05 15:50:51,155 ERROR [WorkerThread#0[223.1.1.128:1687]] [org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=dummy, requiredRoles=[admin], principalRoles=[normaluser]
2008-07-05 15:50:51,155 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor] Authorization failure
java.lang.SecurityException: Insufficient permissions, principal=dummy, requiredRoles=[admin], principalRoles=[normaluser]
at org.jboss.aspects.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:149)
at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:115)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setPrincipal, p=null, server=true
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setPrincipal, sc=org.jboss.security.SecurityAssociation$SubjectContext@e7ef68{principal=null,subject=null}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setCredential, sc=org.jboss.security.SecurityAssociation$SubjectContext@e7ef68{principal=null,subject=null}
2008-07-05 15:50:51,171 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.remoting.transport.socket.ServerThread] SocketServerInvoker[223.1.1.128:3873].invoke() call failed
javax.ejb.EJBAccessException: Authorization failure
at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
3) Now lets try with an existing username with correct password and with sufficient rights to access the method. The login on the client side succeeds and the user/pass info is passed on the server when the bean method is invoked. Another round of authentication is done on server and it too passes. Then an authorization check is done. And since the user has sufficient rights, the bean method is successfully called:
15:51:28,141 INFO [STDOUT] Bean method successfully called
"Marcos_APS" wrote:
Now I'm able to login 'normally' using loginContext.login() . But JBoss is now accepting any user I pass in and I suppose this is really not a good thing at the point of security.
As explained above, the org.jboss.security.ClientLoginModule login module is just used as a carrier for passing on the username/password to the server. The login will succeed with even a invalid user with this module on the client side. However at the server, another round of authentication is done. The login module that gets used on the server side is the one that you have configured in the jboss.xml (or through annotations) for the EJBs and only valid authorized users will be allowed to access the method.