5 Replies Latest reply on Oct 10, 2011 10:05 AM by grrd

    @RolesAllowed ignored?

    jjonphl
    jjonphl Sep 12, 2007 2:16 AM

      I am using jboss 4.2.1.GA. I have the ff session bean

      @RolesAllowed({"authenticated"})
@Stateless
@Remote({AccountRDAO.class})
public class AccountRDAOAction extends RDAOAction
 implements AccountRDAO, Serializable
{

...

}


      I defined the ff policy in login-config.xml: 

      <application-policy name="mypolicy">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
 flag = "required">
 <module-option name="unauthenticatedIdentity">anonymous</module-option>
 <module-option name = "dsJndiName">java:/itranscribe-ds</module-option>
 <module-option name = "principalsQuery">select password from logins where username=?</module-option>
 <module-option name = "rolesQuery">
 select 'authenticated' as Role, 'Roles' as RoleGroup where length(?) > 0
 </module-option>
 </login-module>

 </authentication>
 </application-policy>


      It is driving me nuts why I can still access the methods of the supposedly protected bean. I tried annotating the methods and still the same.

      Thanks,
      M. Manese

      • 11172 Views
      • Tags:
        • 1. Re: @RolesAllowed ignored?
          jaikiran
          jaikiran Sep 12, 2007 2:29 AM (in response to jjonphl)

          Did you specify the security domain either as a annotation or in the jboss.xml? You can do that either through an annotation

          @SecurityDomain("mypolicy")
@RolesAllowed({"authenticated"})
@Stateless
@Remote({AccountRDAO.class})
public class AccountRDAOAction extends RDAOAction
 implements AccountRDAO, Serializable


          or through jboss.xml: 

          <jboss>
 <security-domain>mypolicy</security-domain>

</jboss>


            • Actions
          • 2. Re: @RolesAllowed ignored?
            jjonphl
            jjonphl Sep 12, 2007 2:44 AM (in response to jjonphl)

            Forgot to mention, but I did the latter

            "jaikiran" wrote:
            Did you specify the security domain either as a annotation or in the jboss.xml? You can do that either through an annotation

            < snipped >

            <jboss>
 <security-domain>mypolicy</security-domain>

</jboss>


              • Actions
            • 3. Re: @RolesAllowed ignored?
              jaikiran
              jaikiran Sep 13, 2007 1:22 AM (in response to jjonphl)

              Can you get the TRACE level logs from the jboss security package? Follow the steps mentioned in Q4 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ and post the output here

                • Actions
              • 4. Re: @RolesAllowed ignored?
                bech
                bech Mar 13, 2011 1:18 PM (in response to jjonphl)

                Hi

                 

                I had the exact same problem in JBoss AS 6, and it took me hours of frustration until I figured out what was wrong.

                In my solution I was using the @SecurityDomain annotation to add the authentication.

                 

                My problem was that my import was wrong:

                 

                I was using the @org.jboss.security.annotation.SecurityDomain annotation, and not the @org.jboss.ejb3.annotation.SecurityDomain.

                After I changed the import, my call to the bean fail with "Exception in thread "main" javax.ejb.EJBAccessException: Caller unauthorized". Just like I wanted.

                 

                I hope this can help others with the same stupid problem.

                  • Actions
                • 5. Re: @RolesAllowed ignored?
                  grrd
                  grrd Oct 10, 2011 10:05 AM (in response to bech)

                  Thanks a lot Peer, your solution saved at least my day after 4 wasted hours trying to figure out why nothing worked.

                    • Actions