4 Replies Latest reply on Jan 12, 2012 10:45 AM by jaikiran

    Should EJB security be working in 7.1CR1b?

    sfcoy

      I have an arquillian test that performs a JAAS login, looks up the EJB and then executes the method. However the security context does not seem to be propogated through to the EJB:

      {code}

          @Test

          public void testProduceClientSecurityRoles() throws LoginException {

              LoginContext loginContext = new LoginContext("other", this);

              loginContext.login();

              assertTrue(Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Set<SecurityRole>>() {

       

                  @Override

                  public Set<SecurityRole> run() {

                      ClientSecurityRolesProducer sut = lookupInJNDI("java:app/test/ClientSecurityRolesProducer");

                      return sut.produceClientSecurityRoles();

                  }

       

              }).contains(SecurityRole.USER));

          }

      {code}

       

      The EJB is a stateless nointerface bean and the invoked method looks like:

       

      {code}

          @Produces

          @Client

          public Set<SecurityRole> produceClientSecurityRoles() {

              logger.info("Producing user roles for user " + sessionContext.getCallerPrincipal());

              logger.info("Subject principals are: " + Subject.getSubject(AccessController.getContext()).getPrincipals());

              return SecurityRole.getUserRolesFrom(sessionContext);

          }

      {code}

       

      The JAAS login works great, but the log output I get is:

       

      {noformat}01:12:09,972 INFO  [com...ClientSecurityRolesProducer] ... Created

      01:12:09,976 INFO  [com...ClientSecurityRolesProducer] ... Producing user roles for user anonymous

      01:12:09,977 INFO  [com...ClientSecurityRolesProducer] ... Subject principals are: [testUser, CallerPrincipal(members:testUser), Roles(members:user,developer,administrator)]{noformat}

       

      Is this still on the TODO list or is something else wrong?

       

      Thanks

        • 1. Re: Should EJB security be working in 7.1CR1b?
          jaikiran

          This should be working and I think we do even have tests similar to this. The only thing that I can think of looking at the code is that the "other" security domain you are using. What is it configured to?

          1 of 1 people found this helpful
          • 2. Re: Should EJB security be working in 7.1CR1b?
            sfcoy

            From standalone.xml:

            <security-domain name="other" cache-type="default">
               <authentication>
                  <login-module code="UsersRoles" flag="required"/>
               </authentication>
            </security-domain>

            It's the stock module that reads users.properties and roles.properties (from the application classpath).

            • 3. Re: Should EJB security be working in 7.1CR1b?
              sfcoy

              Referencing the security domain "other" above does not seem to work.

               

              Using clues I found in jboss-as-testsuite-integration-basic, I was able to get my test working correctly by building up a complete javax.security.auth.login.Configuration object to pass in when creating the LoginContext.

               

              Thanks for pointing me in the right direction.

              • 4. Re: Should EJB security be working in 7.1CR1b?
                jaikiran

                Stephen Coy wrote:

                 

                Referencing the security domain "other" above does not seem to work.

                 

                Yeah, I kind of thought that was the case. Since I remember, at some point, we setup "other" to use a DisabledLoginModule (intentionally) by default. However, the standalone.xml that you posted (even the one in CR1) seems to be different from what I thought it would be.