3 Replies Latest reply on Oct 12, 2006 5:36 AM by Wolfgang Knauf

    @SecurityDomain with custom login module fails with EJB3

    Wolfgang Knauf Master

      Hi everybody,

      I ran into a problem with an EJB using a custom security domain.

      My sample:
      -I created a custom login module (subclass of org.jboss.security.auth.spi.UsernamePasswordLoginModule).
      -"login-config.xml" at server\default\conf contains this application-policy:
      <application-policy name = "knaufsecurity">

      <login-module code = "de.fhw.swtvertiefung.knauf.security.loginmodule.KundeAdministratorLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      In a EJB 2.1 environment I could secure my bean with this entry in jboss.xml in the EJB jar:
      <security-domain>java:/jaas/knaufsecurity</security-domain>

      For my EJB3 bean I added this annotation (stateless session bean):
      @org.jboss.annotation.security.SecurityDomain(value="java:/jaas/knaufsecurity")

      My web project is secured also, by declaring the security domain in jboss-web.xml, and this works !

      But for the ejb project: if I try to access a method with an annotation "@RolesAllowed", this exception is logged:

      21:12:50,140 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
      at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at javax.security.auth.login.LoginContext.invoke(Unknown Source)
      at javax.security.auth.login.LoginContext.access$000(Unknown Source)
      at javax.security.auth.login.LoginContext$4.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
      at javax.security.auth.login.LoginContext.login(Unknown Source)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
      at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:124)
      at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67)
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:131)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:263)
      at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:58)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:102)
      at $Proxy96.forAdminOnly(Unknown Source)
      ....


      So this pointed me to a workaround: I modified "login-config.xml" and replaced the login-module declaration in the "other" policy.
      <application-policy name = "other">

      <login-module code = "de.fhw.swtvertiefung.knauf.security.loginmodule.KundeAdministratorLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      Now it works, but it seems either I did something wrong in declaring the EJB security domain, or there is a bug in the implementation.

      Could someone clarify this ?

      Thanks

      Wolfgang Knauf