1 Reply Latest reply on Jun 23, 2011 10:15 AM by hublisid

    SecurityAssociation values are null when called from authenticating EJB

    hublisid

      Hi All,

       

      I have a web applciation and an EJB component.

      I am using GenericHeaderAuthenticator and SSOLoginModule for the authentication. In GenericHeaderAuthenticator, I am getting the roles from siteminder and setting in org.jboss.security.SecurityAssociation class.

       

      SecurityAssociation.setContextInfo("sm_role", roles);

       

      For the authentication in EJB, the securityDomain is pointing to SSOLoginModule,

      When I am trying to access the SecurityAssociation context info in SSOLoginModule , its giving me null values, so the EJB authentication failed!!

       

      String role = (String)SecurityAssociation.getContextInfo("sm_role"); roles are coming as null.

       

      This problem is in Unix environment, the same code I tried in Windows environment it's working fine.

       

      Can anyone help me to resolve this issue?

       

      The configuration are as below:-

       

      ####################EJB Code:######################################

       

      @org.jboss.ejb3.annotation.SecurityDomain("SSOGenericHeaderAuth")

      @Stateless

      public class FooBean implements FooRemote { 

      @RolesAllowed("essga_cmdbost_custodian")  

      @Resource private SessionContext sctx; 

       

      #######war-deployers-jboss-beans.xml(c:\jboss-5.1.0.GA\server\default\deployers\jbossweb.deployer\META-INF) ########

            <property name="authenticators">
               <map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String">
          <entry>
                     <key>HEADER</key>
                     <value>org.jboss.example.web.tomcat.security.GenericHeaderAuthenticator</value>
                </entry>

                 ...........

                  ...........

      ######web.xml###########

        <login-config>

            <auth-method>HEADER</auth-method>

        </login-config>

       

      #######login-config.xml(c:\jboss-5.1.0.GA\server\default\conf):##########

       

      <application-policy name="SSOGenericHeaderAuth">

         <authentication>

         <login-module code="org.jboss.example.web.tomcat.security.SSOLoginModule" flag="sufficient"/>

         <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

         flag="required">

         <module-option name="usersProperties">props/jmx-console-users.properties</module-option>

         <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

         </login-module>

        </authentication>

      </application-policy>

        • 1. Re: SecurityAssociation values are null when called from authenticating EJB
          hublisid

          Thanks to JBoss team, this problem is resolved with help of JBoss team.

          Here is the solution:

           

          Instead of SecurityAssociation class, I used HTTPSession to store the roles. By this we don't need to validate the session every time we do the role check.

           

          So, in GenericHeaderAuthentication.java

           

           

          // This is how the roles are passed into the login module where they will be set

          HttpSession http_session = request.getSession();

          http_session.setAttribute("roles", roles);

          and in SSOLoginModule.java, you retrieve the roles using below mentioned code:

          HttpServletRequest request =

           

          (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");

           

          List<String> sessionRoles = (List<String>) request.getSession().getAttribute("roles");

           

          This resolved the problem.

           

          Regards,

          Siddu

           

          Message was edited by: Siddu Bulla