EJB lookup from servlet not allowed with custom security domain
fuzao Apr 2, 2014 12:32 PMHi, I have an app that launches a thread from a servlet (in app.war), that looks up from an EJB in separate module (mod1.ejb).
The structure of the project is something like this:
app.ear (explored)
|__ app.war (exploded)
|__ mod1.ejb (exploded)
|__ mod2.ejb (exploded)
Here is the ejb-jar.xml (old-fashioned EJB 2.x since this is a migration from Jboss 6 to WildFly 8):
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ejb-jar xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee;http://xmlns.jcp.org/xml/ns/javaee/ejb-jar_3_2.xsd" version="3.2">
<enterprise-beans>
<session><display-name>com.quatrosi.be.al.AlertService</display-name><ejb-name>com.quatrosi.be.al.AlertService</ejb-name><home>com.quatrosi.be.al.AlertServiceHome</home><remote>com.quatrosi.be.al.AlertService</remote><ejb-class>com.quatrosi.be.al.AlertServiceEJB</ejb-class><session-type>Stateless</session-type><transaction-type>Bean</transaction-type></session>
</enterprise-beans>
<assembly-descriptor>
<security-role><description>USRX</description><role-name>USRX</role-name></security-role>
<method-permission><role-name>USRX</role-name><method><ejb-name>com.quatrosi.be.al.AlertService</ejb-name><method-name>*</method-name></method></method-permission>
</assembly-descriptor>
</ejb-jar>
My EJB modules have the following configuration in jboss-ejb3.xml:
<?xml version="1.0"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:s="urn:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd
http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd" version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>mysecuritydomain</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
My security domain is configured as follow:
<security-domain name="mysecuritydomain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/myapp-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/myapp-roles.properties"/>
</login-module>
</authentication>
</security-domain>
My Java code for lookup EJB is:
Hashtable properties = new Hashtable(); //properties.put(Context.INITIAL_CONTEXT_FACTORY, factory); //properties.put(Context.PROVIDER_URL, provider); properties.put(Context.SECURITY_PRINCIPAL, username); properties.put(Context.SECURITY_CREDENTIALS, password); Context context = new InitialContext(properties); AppServiceHome home = context.lookup(beanName); AppService service = home.create();
WildFly 8 exposes these JNDI names for service:
java:global/app/mod1/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppService java:app/mod1/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppService java:module/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppService java:jboss/exported/app/mod1/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppService java:global/app/mod1/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppServiceHome java:app/mod1/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppServiceHome java:module/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppServiceHome java:jboss/exported/app/mod1/com.quatrosi.be.al.AppService!com.quatrosi.be.al.AppServiceHome
I can only invoke using java:global and java:jboss/exported namespaces.
I'm getting what seems to be an authentication error:
javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract com.quatrosi.be.AppService com.quatrosi.be.AppServiceHome.create() throws java.rmi.RemoteException,javax.ejb.CreateException of bean: com.quatrosi.be.al.AppService is not allowed
Can anyone help me with this situation please?