0 Replies Latest reply on Apr 4, 2011 6:07 PM by Mario Bislick

    About securing an application with SecurityDomain and RolesAllowed

    Mario Bislick Newbie

      Hi everyone!

       

      Im trying to secure an swing application with multiple threads, the idea is to authenticate the user and then grant him access according to the roles associated to him. Currently, I'm using a setSimple to authenticate the user instead of setJAAS, so pretty the much the only thing that the application does is validate the user against our database, but it does ignore the RolesAllowed so any logged user can access to all of the applications functionalities. If I use the SecurityDomain then it looks like the information about the logged user gets lost and that the application tries to attempt a login again but with a null user and/or password, thus throwing an exception.

       

      Since the initial focus couldn't help me solve the problem ( http://community.jboss.org/message/596990#596990  http://community.jboss.org/thread/43907) I kept asking google about anything, and then i found something that told me that SecurityDomain only works with setJAAS (JAAS authentication), so that could explain why the application fails once i use SecurityDomain....

       

      So the question here is: @RolesAllowed only work when using @SecurityDomain and JAAS authentication? It doesnt matter if I use a Database Server Login Module (org.jboss.security.auth.spi.DatabaseServerLoginModule), I still need to use a JAAS login to grant access to the user using a Security Domain? Also, is there anyproblem with having more than one login module specified in the login-config.xml?

       

      As you can see I'm a noob using JBoss, so really appreciate any help here.