1 Reply Latest reply on Dec 24, 2010 3:05 PM by gvnsbt

    EJB authorization problem

    gvnsbt

      Hi,

      I'm new to jboss.

       

      I installed the version 5.1.0.GA on OS X  10.6.5.

       

      I read the documentation and I did the following tests:

      I have created one openldap instance tree for  users (authentication) and roles, I modified the login-config.xml where I added the reference to ldap server and in  web.xml of war application I defined the xml tag for authentication and authorization process.

       

      The servlet authentication and authorization process works fine.

      The servlet uses one EJB test where I added the authorization annotations (@SecurityDomain, @DenyAll, etc.).

       

      When the servlet call a EJB method, with for example a method with the @DenyAll annotation, the method is executed and the annotation not work.

       

      I tried to make the EAR file and JAR+WAR  files but I have same problem.

      Jboss ignores the authorization annotation in EJB.

      At compile time that I can find in log server is:

      2010-12-23 18:30:35,118 WARN  [org.jboss.annotation.factory.AnnotationCreator] (main) No ClassLoader provided, using TCCL: org.jboss.managed.api.annotation.ManagementComponent

       

       

       

       

      In <server>/conf/login-conf.xml I have:

      .....

      <policy>

      .......

       

       

      <application-policy name="ldapLogin">
              <authentication>
                              <login-module flag="required" code="org.jboss.security.auth.spi.LdapLoginModule">
                              <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
                              <module-option name="java.naming.provider.url">ldap://192.168.82.100:389/</module-option>
                              <module-option name="java.naming.security.authentication">simple</module-option>
                              <module-option name="principalDNPrefix">uid=</module-option>
                              <module-option name="principalDNSuffix">,ou=Users,dc=gsbt,dc=it</module-option>
                              <module-option name="rolesCtxDN">ou=Roles,dc=gsbt,dc=it</module-option>
                              <module-option name="uidAttributeID">member</module-option>
                              <module-option name="matchOnUserDN">true</module-option>
                              <module-option name="roleAttributeID">cn</module-option>
                              <module-option name="roleAttributeIsDN">false </module-option>
                              <module-option name="allowEmptyPasswords">false</module-option>
                      </login-module>
              </authentication>
        </application-policy>

      <application-policy name="ldapLogin">

              <authentication>

                              <login-module flag="required" code="org.jboss.security.auth.spi.LdapLoginModule">

                              <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>

                              <module-option name="java.naming.provider.url">ldap://192.168.82.100:389/</module-option>

                              <module-option name="java.naming.security.authentication">simple</module-option>

                              <module-option name="principalDNPrefix">uid=</module-option>

                              <module-option name="principalDNSuffix">,ou=Users,dc=gsbt,dc=it</module-option>

                              <module-option name="rolesCtxDN">ou=Roles,dc=gsbt,dc=it</module-option>

                              <module-option name="uidAttributeID">member</module-option>

                              <module-option name="matchOnUserDN">true</module-option>

                              <module-option name="roleAttributeID">cn</module-option>

                              <module-option name="roleAttributeIsDN">false </module-option>

                              <module-option name="allowEmptyPasswords">false</module-option>

                      </login-module>

              </authentication>

        </application-policy>

      .....
      </policy>
      ....
      In jboss-web.xml file of my servlet project I have:

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

        <security-domain>java:/jaas/ldapLogin</security-domain>

      </jboss-web>

      In web.xml file of my servlet project I have:

      <security-constraint>

         <web-resource-collection>

          <web-resource-name>Some Resource</web-resource-name>

          <url-pattern>/*</url-pattern>

          <http-method>GET</http-method>

          <http-method>POST</http-method>

      </web-resource-collection>

       

      <auth-constraint>

      <role-name>Admin</role-name>

       

      </auth-constraint>

       

      <user-data-constraint>

      <transport-guarantee> CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

      </security-constraint>

       

      <login-config>

      <auth-method>BASIC</auth-method>

      </login-config>

       

      <security-role>

      <role-name>Admin</role-name>

      </security-role>

       

      In EJB I have:

      .....

       

      @Stateless(mappedName="anagrafica")

      @SecurityDomain("ldaplogin")

       

      ........

       

       

       

      @DenyAll

        public players AddRecord(String surname, String name)

        {

      .....

       

      The EJB and Servlet are in separate project.

      Is possible that the EJB Project needs the jaas reference xml file?

       

      Kind Regards.

       

      GvnSbt

        • 1. Re: EJB authorization problem
          gvnsbt

          Resolved.

          The problem was the wrong reference package.

          I replaced the org.jboss.security.annotation.SecurityDomain with org.jboss.ejb3.annotation.SecurityDomain and now works fine.

           

          GvnSbt