Yet another JBoss 5.1/EJB3 security question
mandelbr0t Oct 12, 2011 4:39 PMI've been all over the web looking for an answer to this question. JBoss 5.1 seems to be outright ignoring the application policy I have defined in login-config.xml. The EJB is secured correctly, but it is using the wrong login mechanism.
login-config.xml:
<application-policy name="mine">
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/MyDS</module-option>
<module-option name="principalsQuery">
SELECT passwordHash FROM account WHERE email = ?
</module-option>
<module-option name="rolesQuery">
SELECT roleName, 'Roles' FROM account_roles WHERE email = ?
</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">BASE64</module-option>
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>
</application-policy>
The associated EJB Session bean:
import org.jboss.ejb3.annotations.SecurityDomain; // yes, I am using the correct annotation
@Stateless
@RemoteBinding(jndiName="mine/AccountHome/remote")
@SecurityDomain("mine")
@DeclareRoles({"admin", "member"})
@RolesAllowed({"admin"})
public class AccountHome implements AccountHomeRemote {
...
@PermitAll
public boolean changePassword(Account a, String oldPass, String newPass) {
...
}
}
However, when I try to deploy the EAR containing this EJB JAR, I get the following exception:
ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
...
Why is JBoss trying to load the UserRolesLoginModule when I have specifically stated that I want to use DatabaseServerLoginModule?