5 Replies Latest reply on Oct 10, 2011 10:05 AM by grrd

    @RolesAllowed ignored?

    jjonphl

      I am using jboss 4.2.1.GA. I have the ff session bean

      @RolesAllowed({"authenticated"})
      @Stateless
      @Remote({AccountRDAO.class})
      public class AccountRDAOAction extends RDAOAction
       implements AccountRDAO, Serializable
      {
      
      ...
      
      }
      


      I defined the ff policy in login-config.xml:

      <application-policy name="mypolicy">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name="unauthenticatedIdentity">anonymous</module-option>
       <module-option name = "dsJndiName">java:/itranscribe-ds</module-option>
       <module-option name = "principalsQuery">select password from logins where username=?</module-option>
       <module-option name = "rolesQuery">
       select 'authenticated' as Role, 'Roles' as RoleGroup where length(?) > 0
       </module-option>
       </login-module>
      
       </authentication>
       </application-policy>
      


      It is driving me nuts why I can still access the methods of the supposedly protected bean. I tried annotating the methods and still the same.

      Thanks,
      M. Manese

        • 1. Re: @RolesAllowed ignored?
          jaikiran

          Did you specify the security domain either as a annotation or in the jboss.xml? You can do that either through an annotation

          @SecurityDomain("mypolicy")
          @RolesAllowed({"authenticated"})
          @Stateless
          @Remote({AccountRDAO.class})
          public class AccountRDAOAction extends RDAOAction
           implements AccountRDAO, Serializable


          or through jboss.xml:

          <jboss>
           <security-domain>mypolicy</security-domain>
          
          </jboss>


          • 2. Re: @RolesAllowed ignored?
            jjonphl

            Forgot to mention, but I did the latter

            "jaikiran" wrote:
            Did you specify the security domain either as a annotation or in the jboss.xml? You can do that either through an annotation

            < snipped >

            <jboss>
             <security-domain>mypolicy</security-domain>
            
            </jboss>


            • 3. Re: @RolesAllowed ignored?
              jaikiran

              Can you get the TRACE level logs from the jboss security package? Follow the steps mentioned in Q4 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ and post the output here

              • 4. Re: @RolesAllowed ignored?
                bech

                Hi

                 

                I had the exact same problem in JBoss AS 6, and it took me hours of frustration until I figured out what was wrong.

                In my solution I was using the @SecurityDomain annotation to add the authentication.

                 

                My problem was that my import was wrong:

                 

                I was using the @org.jboss.security.annotation.SecurityDomain annotation, and not the @org.jboss.ejb3.annotation.SecurityDomain.

                After I changed the import, my call to the bean fail with "Exception in thread "main" javax.ejb.EJBAccessException: Caller unauthorized". Just like I wanted.

                 

                I hope this can help others with the same stupid problem.

                • 5. Re: @RolesAllowed ignored?
                  grrd

                  Thanks a lot Peer, your solution saved at least my day after 4 wasted hours trying to figure out why nothing worked.