1 Reply Latest reply on Aug 29, 2012 4:45 AM by Devashish Bansal

    EJB authenticates again even after web layer authentication

    Devashish Bansal Newbie

      I am relatively new to Jboss 7.1 and I already tried to read lot of docs and search forums but couldn't find a direct answer to my "looks like trivial" issue and I cannot believe this feature is not present in Jboss:

       

      Problem: After successful authentication against my LDAP login module in web layer, when a secured EJB is called it calls LDAP again for authentication and it does so for every EJB call!

      Solution required : Security context should be piggybacked with some "principal already authenticated token" while getting passed to EJB layer.

       

      Additional Info : I have a custom login module and a custom user principal which works fine and this custom principal is successfully passed on to EJB with all filled data including roles so I can check sessionContext.isCalledInRole("role1"), but the whole problem starts with @SecurityDomain("LDAP"). Without this annotation on EJB no security annotation like @RolesAllowed is honoured, it just allows any user to call EJB and as soon as @SecurityDomain("LDAP") is applied at EJB level, on EJB lookup itself it tries to authenticate against LDAP login module and it does on each EJB call even without any @RolesAllowed in EJB.

       

      One possible solution is to have EJB interceptors everywhere and check for sessionContext.isUserInRole("role1") but then its not a clean and preferred way of securing EJBs.

       

      This worked like charm in weblogic and now porting to JBoss have this issue, may be others have similar issue but since I am using custom login module I was able to debug and came to know that it gets called again and again!

       

      Relevant code:

       

      @SecurityDomain("LDAP")

      @DeclareRoles({"abc"})

      public class CustomerServiceBean implements CustomerService {

       

      @RolesAllowed({"abc"})

      public List<Customer> lookupCustomer(long foyer) {

      }}

       

       

      Jboss standalone.xml stuff:

       

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

      </subsystem>

       

                <security-domain name="LDAP">

                          <authentication>

                              <login-module code="com.foo.login.LDAPLoginModule" flag="required">

                                  <module-option name="principalClass" value="com.foo.login.LDAPUserPrincipal"/>

                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                  <module-option name="java.naming.provider.url" value="ldaps://abc.de:636"/>

                                    <!-- some other settings -->

                               </login-module>

                          </authentication>

                      </security-domain>

       

      jboss-ejb-client.properties :

       

      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

      java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

       

      remote.connections=default

       

      remote.connection.default.host=localhost

      remote.connection.default.port = 4447

      remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

        • 1. Re: EJB authenticates again even after web layer authentication
          Devashish Bansal Newbie

          This is the most common scenario using any kind of security in any webapp on Jboss, thats the reason I cannot believe that Jboss security is designed like this.

           

          It has nothing to do with custom login module or custom user principal, this problem happens even if I use one of in-built Jboss login module with the default SimplePrincipal. I guess most people do not notice this issue as they do not need to debug jboss in-built login modules and they just live with this unnecessary calls to security realm on each call to EJBs.

           

          I can see that username/password is being passed from web layer to EJB layer with which EJB does authentication again, but then if web layer can pass these credentials why not it passes "already authenticated token" to EJBs.