11 Replies Latest reply on Sep 12, 2012 5:56 AM by robbatt

@javax.annotation.security.RolesAllowed on EJBs does not work

herb Jan 20, 2012 11:06 AM

I don't know what I'm doing wrong - I need some help:

I like to use declarative role check on EJBs with @RolesAllowed

I've a simple war, with security enabled (I startet with following example https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules).

Facelets, JSPs and servlets are protected, request.isUserInRole() works fine.

Then, I wrote an EJB (within the war) - injected the EJB in a servlet - called an EJBs method in the war - all works fine.

Then, I added @RolesAllowed with a role the authenticated user does not have, but the method is also successfully called.

EJBContext getCallerPrincipal returns the correct (authenticated) principal, and isCallerInRole() works fine, but not RolesAllowed

(I also tried to put @SecurityDomain(value = "form-auth") in the EJB - but nothing changed)

(I'm runng 7.1.0CR1b)

Thanks

1. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

anil.saldhana Jan 20, 2012 2:19 PM (in response to herb)

http://docs.oracle.com/javaee/6/api/javax/annotation/security/RolesAllowed.html

It basically defines the roles that a particular method can access. So your intent is correct.

We may have a bug. Can you ensure that something like @RolesAllowed("BAD") fails?
1 of 1 people found this helpful
Actions
2. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

herb Jan 20, 2012 3:29 PM (in response to anil.saldhana)
I tried @RolesAllowed("BAD") and also @DenyAll does not work as expected (methods are invoked).

I added my simple test.war. Due to I'm a JBoss beginner, maybe I'm missing some basic stuff.

Here's the security-domain part of standalone.xml, which is referenced in the war:

<security-domain name="formauth" cache-type="default">
    <authentication>
    <login-module code="UsersRoles" flag="required">
        <module-option name="usersProperties" value="defaultUsers.properties"/>
        <module-option name="rolesProperties" value="defaultRoles.properties"/>
    </login-module>
    </authentication>
</security-domain>

Thanks, herb

test.war 4.0 KB
Actions
3. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

sfcoy Jan 22, 2012 1:24 AM (in response to herb)

You may also want to have a look at @RolesAllowed, @DenyAll require presence of org.jboss.ejb3.annotation.SecurityDomain?
1 of 1 people found this helpful
Actions

4. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

swd847 Jan 24, 2012 12:09 AM (in response to sfcoy)

Security is not being used as your ejb's are not associated with a security domain.

You need something like this in jboss-ejb3.xml:

<?xml version="1.0"?>  
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
                  xmlns="http://java.sun.com/xml/ns/javaee"
                  xmlns:s="urn:security"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
                     http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
                  version="3.1"
                  impl-version="2.0">
  <assembly-descriptor>
    <s:security>
      <ejb-name>*</ejb-name>
      <s:security-domain>other</s:security-domain>
    </s:security>
  </assembly-descriptor>

</jboss:ejb-jar>

5. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

herb Jan 24, 2012 5:29 AM (in response to swd847)

Thank you for your answer! - I put jboss-ejb3.xml (with above content) to WEB-INF folder and it works as expected!!

But shouldn't do "@SecurityDomain" (at EJB level) the same as jboss-ejb3.xml (as also mentioned in https://community.jboss.org/thread/177728)?
Actions
6. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

wolfc Jan 24, 2012 9:04 AM (in response to swd847)

How about a warning or just install a DenyAllInterceptor if @RolesAllowed or @DenyAll is present, but @SecurityDomain is not?
Actions
7. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

rzd Jan 24, 2012 9:22 AM (in response to wolfc)

+1 for a DenyAllInterceptor!
Actions
8. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

jaikiran Jan 26, 2012 2:38 AM (in response to herb)

herb wrote:

But shouldn't do "@SecurityDomain" (at EJB level) the same as jboss-ejb3.xml (as also mentioned in https://community.jboss.org/thread/177728)?
Like I expected, you are using the wrong annotation:
import org.jboss.security.annotation.SecurityDomain;

@Stateless
@SecurityDomain(value = "formauth")
public class Ejb
You should be using @org.jboss.ejb3.annotation.SecurityDomain
Actions
9. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

herb Jan 26, 2012 9:34 AM (in response to jaikiran)

Eclipse JBoss tools adds only org.jboss.security.annotation.SecurityDomain to classpath (and not org.jboss.ejb3.annotation.SecurityDomain) so I did not realize that there will be two JBoss SecurityDomain annotations...

Now it's running!

Many thanks!!
Actions
10. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

devashish.bansal Aug 29, 2012 11:54 AM (in response to herb)

But putting @SecurityDomain(value = "formauth") results in re-authentication at EJB layer even if user principal is already authenticated at web layer. And it happens on each EJB call again and again!
Is this a desired behavior on Jboss because this doesn't happen on weblogic.
Actions
11. Re: @javax.annotation.security.RolesAllowed on EJBs does not work

robbatt Sep 12, 2012 5:56 AM (in response to devashish.bansal)

would you guys have a look at my post http://community.jboss.org/message/759064

I tried to get that stuff working in a simple .war but it seems that is not possible, can you verify that a full ear + war + ejb.jar setup required for this to work?
Actions

Go to original post