I tired to implement a JAAS based access control infrastructure as Stateless Session EJB under JBOSS.
After struggling for few days, I gave up. I came to the conclusion that it's almost impossible if
it has to run under a container and have to deal with all the security and class loading policies of the
container. As a standalone application it's doable.
Here is the code I used. I think my code is OK. But I could not get the java2 and JAAS policy files to work
after endless tweaking. The JBOSS container always threw some kind of Access Control Violation exception.
I am still using JAAS for authentication, but I have resorted to building my Access Control Infrastructure using
ejb and storing the access control information in a database. Another reason for doing it this way is so that
the access control data will be secured in a database, instead of text files.
public boolean isAllowed(final String user, final String media, final String access)
Subject sub = new Subject();
MedialAccessChecker medialAccessChecker = new MedialAccessChecker(media, access);
Subject.doAsPrivileged(sub, medialAccessChecker, null);
class MedialAccessChecker implements PrivilegedAction
public MedialAccessChecker(String media, String access)
this.media = media;
this.access = access;
public Object run()
System.out.println("media " + media + "access " + access);
System.out.println("Subject " + Subject.getSubject(AccessController.getContext()));
FilePermission perm = new FilePermission(media, access);
catch (AccessControlException acEx)
System.out.println("Got AccessControlException " + acEx);
allowed = false;
public boolean isAllowed()
private String media;
private String access;
private boolean allowed = true;
I would appreciate any help, advice.
My understanding is, you must use the JBossSX mechanisms to use EJB security (unless you implement your own security manager).
Have you read the JBossSX chapter in the documentation ? See also the JavaWorld article "Integrate security infrastructures with JBossSX". This will give you an idea of how one is expected to implement security in JBoss and where you can add your custom stuff.
You can use EJB's from custom login modules
without any problems. Or maybe with only one problem:
EJB's you use from login modules shall have no
So, assuming that you have some data model you are using for authenticaion/authorisation you will have
to made 2 set of beans:
1. Beans for auth only, without any security settings
( everybody allowed access ), and those beans shall
have no means of changing the data or leak security relewant information
2. Beans for auth information management -
they go to the same data, but have methods designed for changing auth information
I used such approach ( even more brain dead one )
and it worked...
I am not talking about access control for ejb methods, but more generic access control e.g., access to file.
It's very difficult to configure security policies for these kinds of access control for beans running under the JBOSS container.
You esentially have to find all the access violations one at a time and and add them to the java2 policy accordingly. There is no quick way to configure the policy. Sometimes even after I added the necessary permissions in the policy, JBOSS still threw exceptions.
Typcially, may containers including JBOSS, are configured with permission ava.security.AllPermission by default. To use JASS authorization, it becomes necessary to replace that with explicit permission settings, because of the additive nature of the policy settings.
It would have been much easier if java2 allowed subtractive permission setting also. For examle, if I wanted only certain code base running under a certain principal to have read access to a file, I could set up the java2 policy file for JBOSS as follows, if subtractive policy was allowed.
// Allow everything for now
not permission java.io.FilePermission "C:\\temp\\foo.txt", "read";
The JAAS policy would be
Principal org.jboss.security.SimplePrincipal "lucky"
permission java.io.FilePermission "C:\\temp\\foo.txt", "read";
When running under JBOSS, beacuase the java2 policies are additive, I have to find the access viloations one at a time and add them to the java2 policy.