0 Replies Latest reply on Oct 2, 2012 12:58 AM by klopper

    Jboss AS 7.1 - EJB injection in servlet with secure context

    klopper

      Hi all.

       

      I tried execute some ejb  method from servlet. My application is ear, with ejb-jar (with ejb) and war (servlet).

      In standalone-full.xml configured Security realm:


      <security-realm name="MyDomainRealm">

         <authentication>

            <jaas name="myDomain"/>

         </authentication>

      </security-realm>

       

      and MyDomain:

      <security-domain name="myDomain" cache-type="default">

          <authentication>

            <login-module code="Remoting" flag="optional">

              <module-option name="password-stacking" value="useFirstPass"/>

            </login-module>

            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

               <module-option name="dsJndiName" .../>

               ...

               <module-option name="rolesQuery" value="select 'user' Role, 'Roles' RoleGroup from authinfo where name=?"/>

               ...

            </login-module>

          </authentication>

            <login-module code="my.app.LoginModule" flag="required">

              <module-option .../>

            </login-module>

          </authentication>

      </security-domain>

       

      and Jboss Remoting (my ejb maybe used by jndi remote lookup):

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">

         <connector name="remoting-connector" socket-binding="remoting" security-realm="MyDomainRealm"/>

      </subsystem>

       

      In myEjb.jar  jboss-ejb3.xml configure secure domain

       

      <assembly-descriptor>

        <s:security>

          <ejb-name>*</ejb-name>

              <s:security-domain>java:/jaas/myDomain</s:security-domain>

        </s:security>

      </assembly-descriptor>

       

      and add ejb-jar.xml method permission check for myEjb:

         <assembly-descriptor>

          <security-role>

                  <role-name>user</role-name>

              </security-role>

              <method-permission>

                  <role-name>user</role-name>

              <method>

                  <ejb-name>MyEjbBean</ejb-name>

                  <method-name>*</method-name>

      ...

       

      myWeb.waw called on my secure context:

      jboss-web.xml:

       

      <security-domain>java:/jaas/myDomain</security-domain>

       

      web.xml:

        <security-role>

          <role-name>user</role-name>

        </security-role>

       

        <security-constraint>

          <web-resource-collection>

            <web-resource-name>Secure</web-resource-name>

            <url-pattern>/*</url-pattern>

          </web-resource-collection>

          <auth-constraint>

            <role-name>user</role-name>

          </auth-constraint>

        </security-constraint>

       

        <login-config>

          <auth-method>BASIC</auth-method>

        </login-config>

      ............

       

      And finally in jboss-app.xml:

      <jboss-app xmlns="http://www.jboss.com/xml/ns/javaee"

                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                   version="7.0">

          <security-domain>java:/jaas/myDomain</security-domain>

          <security-role>

              <role-name>user</role-name>

          </security-role>

      </jboss-app>

       

      MyServlet.java code part (EJB 3.0):

       

      @EJB

      IMyBeanLocal myEjb;

       

      void test(){

      myEjb.foo();

      }

      -------------------

       

      When I try execute myEjb.foo() in server logs I see:

      ------------------------------------

      10:12:57,307 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=myUser

      10:12:57,308 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(java:), size=4

      10:12:57,309 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) getAppConfigurationEntry(java:), no entry in appConfigs, tyring parentCont: null

      10:12:57,309 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) getAppConfigurationEntry(java:), no entry in parentConfig, trying: other

      10:12:57,310 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(java:), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule

      ControlFlag: LoginModuleControlFlag: optional

      Options:

      name=password-stacking, value=useFirstPass

      [1]

      LoginModule Class: org.jboss.as.security.RealmUsersRolesLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=usersProperties, value=${jboss.server.config.dir}/application-users.properties

      name=realm, value=ApplicationRealm

      name=rolesProperties, value=${jboss.server.config.dir}/application-roles.properties

      name=password-stacking, value=useFirstPass

       

      10:12:57,325 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]

          at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155) [picketbox-4.0.7.Final.jar:4.0.7.Final]

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_26]

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_26]

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_26]

      ...

      -----------------------------------------------

       

      Why
      getAppConfigurationEntry(java:),???

      why for myEjb used 'other' secure domain with ApplicationRealm , but not how I described in jboss-ejb3.xml a secure domain as myDomain?

      I'm confused.

       

       

      I tried  annotate MyEjbBean with SecureDomain:

       

      import org.jboss.security.annotation.SecurityDomain; ( i tried also import org.jboss.ejb3.annotation.SecurityDomain; )

      @SecurityDomain(value="myDomain")

       

      mistake is same...

       

      What I did wrong?