@Service + @Managment + @SecurityDomain throws Authorization
sappenin Jan 11, 2008 11:35 PMI have a secured EJB3 @Service bean as follows:
@Service @Management(MyClassInterfaceManagement.class) @Local(MyClassInterface.class) @SecurityDomain("myrealm") @RolesAllowed( { "admin", "system" }) @RunAs("system") public class MyClass implements MyClassInterface, MyClassInterfaceManagement { ... }
I have the proper things setup in my login-conf.xml file, but when I deploy this class, I get an exception stating:
21:11:05,887 WARN [ServiceController] Problem creating service jboss.j2ee:ear=MyEar.ear,jar=MyJar.jar,name=MyClass,service=EJB3,type=ManagementInterface javax.ejb.EJBAccessException: Authorization failure at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:113)
What's wierd is that I can comment out the "@SecurityDomain("mydomain")" annotation, and I don't receive the exception when I start the server, and everything works fine. This seems like a bug, although I'm not sure. Any Idea what is going on?
My assumption is that by commenting out the @SecurityDomain annotation, the Management/Service is defaulting to the security domain specified in my jboss-app.xml file in my ear, which says:
<jboss-app> <security-domain>myrealm</security-domain> ..... </jboss-app>
The applicable login-conf.xml snippets are below. Thoughts?
<application-policy name = "myrealm"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "dsJndiName">java:/myDS</module-option> <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option> <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?)) </module-option> <module-option name = "unauthenticatedIdentity">guest</module-option> </login-module> <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation --> <login-module code="org.jboss.security.ClientLoginModule" flag="required" /> </authentication>
<application-policy name = "other"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "dsJndiName">java:/myDS</module-option> <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option> <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?)) </module-option> <module-option name = "unauthenticatedIdentity">guest</module-option> </login-module> </authentication>