EJB authenticates again even after web layer authentication
devashish.bansal Aug 28, 2012 6:13 AMI am relatively new to Jboss 7.1 and I already tried to read lot of docs and search forums but couldn't find a direct answer to my "looks like trivial" issue and I cannot believe this feature is not present in Jboss:
Problem: After successful authentication against my LDAP login module in web layer, when a secured EJB is called it calls LDAP again for authentication and it does so for every EJB call!
Solution required : Security context should be piggybacked with some "principal already authenticated token" while getting passed to EJB layer.
Additional Info : I have a custom login module and a custom user principal which works fine and this custom principal is successfully passed on to EJB with all filled data including roles so I can check sessionContext.isCalledInRole("role1"), but the whole problem starts with @SecurityDomain("LDAP"). Without this annotation on EJB no security annotation like @RolesAllowed is honoured, it just allows any user to call EJB and as soon as @SecurityDomain("LDAP") is applied at EJB level, on EJB lookup itself it tries to authenticate against LDAP login module and it does on each EJB call even without any @RolesAllowed in EJB.
One possible solution is to have EJB interceptors everywhere and check for sessionContext.isUserInRole("role1") but then its not a clean and preferred way of securing EJBs.
This worked like charm in weblogic and now porting to JBoss have this issue, may be others have similar issue but since I am using custom login module I was able to debug and came to know that it gets called again and again!
Relevant code:
@SecurityDomain("LDAP")
@DeclareRoles({"abc"})
public class CustomerServiceBean implements CustomerService {
@RolesAllowed({"abc"})
public List<Customer> lookupCustomer(long foyer) {
}}
Jboss standalone.xml stuff:
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
<security-domain name="LDAP">
<authentication>
<login-module code="com.foo.login.LDAPLoginModule" flag="required">
<module-option name="principalClass" value="com.foo.login.LDAPUserPrincipal"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://abc.de:636"/>
<!-- some other settings -->
</login-module>
</authentication>
</security-domain>
jboss-ejb-client.properties :
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
java.naming.factory.url.pkgs=org.jboss.ejb.client.naming
remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port = 4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false