3 Replies Latest reply on Jan 18, 2006 11:22 AM by yantriki

    SecurityDomain with EJB3.0

      Hi,
      I am trying to write an application with the following characteristics:

      1. The Session Beans are secured using annotation @SecurityDomain("library")

      2. I have written a custom login module which derives from org.jboss.security.auth.spi.UsernamePasswordLoginModule. The login module sar is deployed with the following META-INF/jboss-service.xml configuration:

      <?xml version="1.0" encoding="UTF-8"?>
      <server>
      <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
       name="ejb3:service=LibraryJAASService">
       <attribute name="AuthConfig">login-config.xml</attribute>
       <depends optional-attribute-name="LoginConfigService">
       jboss.security:service=XMLLoginConfig
       </depends>
       <depends optional-attribute-name="SecurityManagerService">
       jboss.security:service=JaasSecurityManager
       </depends>
       </mbean>
      </server>
      


      The META-INF/login-cofig.xml file in the SAR is
      <!--
       the file will go into SAR
      -->
      <application-policy name="library">
       <authentication>
       <login-module code="org.vss.security.auth.spi.VssLoginModule" flag="required"/>
       </authentication>
      </application-policy>
      


      I don't want to modify the default conf/login-config.xml to add my security domain module and am using the SAR file for it.

      3. The web application has the ClientLoginModule configured properly and is getting called.

      However when I try to access the Session Beans from my web-tier, it throws the following exception
      ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
      

      which points to the fact that the custom login module that I am trying to use is not being used for the EJB tier security.

      Can someone help me with pointing out what I should be doing to have my custom login module called [if possible without having to modify the $JBOSS_HOME/<>/conf/login-config.xml configuration file and preferably using the SAR deployment to configure a new security domain.



        • 1. Re: SecurityDomain with EJB3.0

          Ok, I figured that with 4.0.3 JBoss server the jboss-service.xml defines mechanism to define the application-policy in the SAR deployment xml file itself, which seems to be working for me.

          So now I get messages that the security is being implemented during deployment time. However I have two new issues:

          1. I am getting the following error during deployment time:

          [ServiceController] Problem creating service jboss.j2ee:service=EJB3,module=ejb3Test.par
          java.lang.SecurityException: Invalid authentication attempt, principal=null


          2. The LoginContext fails to initialize with "client-login" and says:
          creating login context failed: javax.security.auth.login.LoginException: No LoginModules configured for client-login


          • 2. Re: SecurityDomain with EJB3.0


            I fixed it with the following META-INF/jboss-service.xml configuration file:

            <?xml version="1.0" encoding="UTF-8"?>
            <server>
             <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
             name="corview:service=CORViewJAASService">
             <attribute name="PolicyConfig" serialDataType="jbxb">
             <jaas:policy
             xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
             xmlns:jaas="urn:jboss:security-config:4.1"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             >
             <jaas:application-policy name="corview">
             <jaas:authentication>
             <jaas:login-module code="org.vss.security.auth.spi.VssLoginModule"
             flag="required">
             <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
             </jaas:login-module>
             </jaas:authentication>
             </jaas:application-policy>
             </jaas:policy>
             </attribute>
             <depends optional-attribute-name="LoginConfigService">
             jboss.security:service=XMLLoginConfig
             </depends>
             <depends optional-attribute-name="SecurityManagerService">
             jboss.security:service=JaasSecurityManager
             </depends>
             </mbean>
             <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
             name="corview:service=CORViewClientJAASService">
             <attribute name="AuthConfig">META-INF/clientlogin.properties</attribute>
             <depends optional-attribute-name="LoginConfigService">
             jboss.security:service=XMLLoginConfig
             </depends>
             <depends optional-attribute-name="SecurityManagerService">
             jboss.security:service=JaasSecurityManager
             </depends>
             </mbean>
            </server>


            Where the clientlogin.properties is the security policy file as described by SUN spec:


            • 3. Re: SecurityDomain with EJB3.0

              The Session Bean uses @SecurityDomain("corview")