9 Replies Latest reply on Jan 25, 2012 5:14 AM by Stephen Coy


    Bernhard Günter Newbie


      my next question is: what happend to the "SecurityAssociation" is AS 7 CR1.

      We use the SecurityAssociation for handling our own security mechanism.


      It seems like that it is no longer supported? I haven't found anything about it yet.


      Can anybody help me?



        • 1. Re: SecurityAssociation
          jaikiran pai Master

          How/Where were you using that class in previous versions?

          • 2. Re: SecurityAssociation
            Bernhard Günter Newbie

            The principal we are using for cross cutting concerns likeuser, mandator, version, etc.

            We are using following methods for our security on a rich client or seam web frontend

            - SecurityAssociation.setPrincipal(principal);

            - SecurityAssociation.setCredential(credential);


            On the server side we are using follwing methods to evaluate these values by @SecurityDomain and @Rolesallowed:



            • 3. Re: SecurityAssociation
              Bernhard Günter Newbie

              After I read the painfull thread: "jboss-as-client 7.0.0.CR1?"

              It is clear - which means for our project: No Jboss 7.0

              • 4. Re: SecurityAssociation
                Bernhard Günter Newbie


                I am still wondering what happen to the SecurityAssociation.

                I was using it to get and manipulating the current caller principal in the current context in a ejb.

                If there a different way to retrieve and set the current principal and its crendential?


                Can anybody help me?





                • 5. Re: SecurityAssociation
                  Darran Lofthouse Master

                  To actually set these values you can still use the ClientLoginModule to make the association so that it can be used for authentication on the next call.


                  For the authentication stage is there a reason you can't just supply your own login module to perform the verification?

                  • 6. Re: SecurityAssociation
                    Bernhard Günter Newbie

                    We are having a own login module, bu wer are using the principal to transport cross cutting concerning informations. E.g. multi-client capability which decides in a hibernate inteceptor which database schema used.


                    Does anybody know, how accessing the current principal in the context?

                    • 7. Re: SecurityAssociation
                      Bernhard Günter Newbie


                      by availability of JBoss 7.1-B1 I came back to evaluate migration effort from jboss 4 to 7.

                      I still facing the Problem of the missing SecurityAssociation. I’ve searched for hours around, but I found nothing.


                      I am setting the caller principal in a Servlet (or RMI Client) by contextProperties.put(Context.SECURITY_PRINCIPAL, ...)


                      I have an interceptor which modifies each SQL Database call with the principal-coded dependent db-schema.

                      We used before SecurityAssociation.getPrincipal() - How can get the current caller principal without the SecurityAssociation?

                      ejbcontext.getCallerPrincipal() is not delivering the principal which was set in the calling context. It delivers anonymous.


                      Our DatabaseLoginModule is also using the SecurityAssociation.getPrincipal and SecurityAssociation.getCredential().


                      Unfortunately I found not much documentation about security and jboss 7.


                      I appreciate any help.




                      • 8. Re: SecurityAssociation
                        Vesuv Mitarbeiter Newbie



                        I think it is now "SecurityContextAssociation". Don't know, if it has all the "old" features, but it has some of them.

                        I hope, it helps someone.



                        • 9. Re: SecurityAssociation
                          Stephen Coy Master

                          JBoss AS7.x security is built on PicketBox. You may have more luck over there.


                          Also, if you have a look at the discussion @RolesAllowed, @DenyAll require presence of org.jboss.ejb3.annotation.SecurityDomain? you will find useful information on properly setting up the security domain in the jboss-ejb3.xml file, which replaces the old jboss.xml file. Additionally I posted some code that does some arquillian based integration testing of security elements by performing a JAAS login.


                          The ClientLoginModule used in AS7.1CR1b is found in the picketbox-4.0.6.Beta2.jar. There's a source jar for this in the maven repository.


                          The fact that you're getting anonymous as the caller principal tells me that you need to update your login module. My test code did exactly that until I included the ClientLoginModule in my javax.security.auth.login.Configuration object.