6 Replies Latest reply on Jun 12, 2006 12:37 AM by thomas.diesler

    JSR-181 POJO and JAAS

    juergen.zimmermann

      How do I implement that a JSR-181 POJO can login into JAAS?
      a) The EJB-Container uses JAAS, and the JUnit clients can login.
      b) The Web-Container also uses JAAS with FORM-based authentication for the JSP pages. No problem to invoke JSP pages, no problem to invoke EJB functionality.

      Now, I'm implementing a Web service via JSR-181 POJOs. There is no problem as long as the POJO invokes a session bean's methods without security restrictions.

      However, when I want to login for restricted methods (just like a JUnit test as in a) I get this message:
      "Insufficient permissions, principal=null, requiredRoles=[mitarbeiter], principalRoles=[]"

      Any hint is appreciated!

        • 1. Re: JSR-181 POJO and JAAS
          fheldt

          I'm running into the same problem at the moment. I put an extra @PortComponent Annotation to the Sessionbean, but that doesn't fix it either.

          @Stateless
          @WebService(
           name="MyService",
           serviceName="MyService"
          )
          @SOAPBinding(
           style=SOAPBinding.Style.RPC,
           use=SOAPBinding.Use.LITERAL
          )
          @PortComponent(authMethod="BASIC")
          @SecurityDomain("myRealm")
          @RolesAllowed({"Admin", "Operator", "User"})
          public class WebServiceEJB implements WebServiceIf
          {
          ...
          }
          


          Any hints would by nice :-)

          JSR181 rulez !!!


          • 2. Re: JSR-181 POJO and JAAS
            thomas.diesler

            @PortComponent only applies to EJB endpoints

            You secure an JSR181 JSE endpoint like any other jboss webapp in web.xml & jboss-web.xml

            • 3. Re: JSR-181 POJO and JAAS
              juergen.zimmermann

              Thomas, are you saying that the methods of a JSR-181 POJO can be restricted in the same way as a SessionBean, e.g. using @SecurityDomain and @RolesAllowed?

              My problem is that a JSR-181 POJO invokes a SessionBean being restricted with @RolesAllowed. Basically I'm doing the following in my JSR-181 POJO:

              HskaCallbackHandler handler = new HskaCallbackHandler(username, password.toCharArray());
              loginCtx = new LoginContext(loginCtxName, handler);
              loginCtx.login();
              Set<Principal> principals = loginCtx.getSubject().getPrincipals();
              for (Principal p: principals) {
               log.info("PRINCIPAL: " + p);
              }
              sb.deleteKundeById(id); // invoke the restricted method of a session bean
              


              The log file shows:
              PRINCIPAL: Roles(members:mitarbeiter,admin)


              However, when I invoke the restricted SessionBean's method I get this exception:
              Insufficient permissions, principal=null, requiredRoles=[admin], principalRoles=[]


              • 4. Re: JSR-181 POJO and JAAS
                fheldt

                Thomas, thanks for your reply, i didn't know that fact.

                But: my sample is a EJB Endpoint, so the question remains: Why does it not work?

                • 5. Re: JSR-181 POJO and JAAS
                  juergen.zimmermann

                  Pls. open a separate thread for your issue. I don't see any advantage in mixing EJB endpoints with POJO endpoints.

                  • 6. Re: JSR-181 POJO and JAAS
                    thomas.diesler

                    fheldt: This is fixed in jbossws-1.0.1

                    Juergen:


                    Thomas, are you saying that the methods of a JSR-181 POJO can be restricted in the same way as a SessionBean, e.g. using @SecurityDomain and @RolesAllowed?


                    No, I am saying you add security to your web.xml and specify the security domain in jboss-web.xml