1 Reply Latest reply on Aug 29, 2012 4:45 AM by devashish.bansal

EJB authenticates again even after web layer authentication

devashish.bansal Aug 28, 2012 6:13 AM

I am relatively new to Jboss 7.1 and I already tried to read lot of docs and search forums but couldn't find a direct answer to my "looks like trivial" issue and I cannot believe this feature is not present in Jboss:

Problem: After successful authentication against my LDAP login module in web layer, when a secured EJB is called it calls LDAP again for authentication and it does so for every EJB call!

Solution required : Security context should be piggybacked with some "principal already authenticated token" while getting passed to EJB layer.

Additional Info : I have a custom login module and a custom user principal which works fine and this custom principal is successfully passed on to EJB with all filled data including roles so I can check sessionContext.isCalledInRole("role1"), but the whole problem starts with @SecurityDomain("LDAP"). Without this annotation on EJB no security annotation like @RolesAllowed is honoured, it just allows any user to call EJB and as soon as @SecurityDomain("LDAP") is applied at EJB level, on EJB lookup itself it tries to authenticate against LDAP login module and it does on each EJB call even without any @RolesAllowed in EJB.

One possible solution is to have EJB interceptors everywhere and check for sessionContext.isUserInRole("role1") but then its not a clean and preferred way of securing EJBs.

This worked like charm in weblogic and now porting to JBoss have this issue, may be others have similar issue but since I am using custom login module I was able to debug and came to know that it gets called again and again!

Relevant code:

@SecurityDomain("LDAP")
@DeclareRoles({"abc"})
public class CustomerServiceBean implements CustomerService {
 
@RolesAllowed({"abc"})
public List<Customer> lookupCustomer(long foyer) {
}}

Jboss standalone.xml stuff:

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
 
          <security-domain name="LDAP">
                    <authentication>
                        <login-module code="com.foo.login.LDAPLoginModule" flag="required">
                            <module-option name="principalClass" value="com.foo.login.LDAPUserPrincipal"/>
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldaps://abc.de:636"/>
                              <!-- some other settings -->
                         </login-module>
                    </authentication>
                </security-domain>

jboss-ejb-client.properties :

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

remote.connections=default

remote.connection.default.host=localhost

remote.connection.default.port = 4447

remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

1. Re: EJB authenticates again even after web layer authentication

devashish.bansal Aug 29, 2012 4:45 AM (in response to devashish.bansal)

This is the most common scenario using any kind of security in any webapp on Jboss, thats the reason I cannot believe that Jboss security is designed like this.

It has nothing to do with custom login module or custom user principal, this problem happens even if I use one of in-built Jboss login module with the default SimplePrincipal. I guess most people do not notice this issue as they do not need to debug jboss in-built login modules and they just live with this unnecessary calls to security realm on each call to EJBs.

I can see that username/password is being passed from web layer to EJB layer with which EJB does authentication again, but then if web layer can pass these credentials why not it passes "already authenticated token" to EJBs.
Actions