0 Replies Latest reply on Aug 26, 2005 9:55 AM by Stacey Vetzal

    Security questions and issues

    Stacey Vetzal Newbie

      Hi All,

      I've noticed that the login-config.xml in the Portal indicates a (new?) LoginModule (org.jboss.portal.core.security.jaas.IdentityPropagationLoginModule) that appears to take the place of ClientLoginModule for propogation.

      Is this assumption correct?

      I have tried using both but am getting different errors with each.

      The IdentityPropogationLoginModule fails when initializing our Portlet with a NullPointerException (I believe because our Portlet calls EJBCreate on a session bean, and there is no logged in user yet... the ejbCreate method is set as unchecked=true, but this hasn't helped; I've been pouring over docs looking at the intricacies / conflicts of dealing with roles, groups, etc - our LoginModule worked great until we started to place our apps under a security domain - it might still be working great, but now I'm not so sure ;).

      The ClientLoginModule fails with this security notice:

      09:11:05,713 INFO [STDOUT] Caused by: java.lang.SecurityException: Insufficient method permissions, principal=[roles=[Authenticated],principal=anonymous], ejbName=UserManagement, method=getRootUsers, interface=REMOTE, requiredRoles=[Authenticated], principalRoles=null

      Note that the principal is flagged with an Authenticated role, but principalRoles is null... I think that is what's causing our problem there.

      Which way should I pursue? Should I even track down the problems with ClientLoginModule or should I chase down what's going on with the IdentityPropagationLoginModule?