web security
ben2 Nov 10, 2001 9:06 AMI have a simple application that uses the JBoss-2.4.3_Tomcat-3.2.3 dist.
I am trying to get security working correctly such that my JSP can call my EJB and have the security information passed along.
The problem is that in my jboss-web.xml file if I include the <security-domain>java:/jaas/other</security-domain> tag, (BASIC auth)then I get the browser login dialog and I enter my username and password hit OK and the dialog just comes back up.
I see these messages in the console:
[Default] User 'danone' authenticated.
[DefaultDS] No transaction right now.
[DefaultDS] Pool DefaultDS [1/1/10] gave out pooled object: org.jboss.pool.jdbc.
xa.wrapper.XAConnectionImpl@32efa7
[DefaultDS] Pool DefaultDS [0/1/10] returned object org.jboss.pool.jdbc.xa.wrapp
er.XAConnectionImpl@32efa7 to the pool.
Here is the kicker though, if I don't include the <security-domain> tag then it works correctly for the JSP. The only domain that I have defined in my auth.conf is 'other'. The JSP and EJB are secured to the role END_USER. So I get into my simple JSP and I print out the principal and check isUserInRole( "END_USER" ) and that works as it should. I then attempt to look up my EJB and get the following exception:
[SimpleStateless] Insufficient method permissions, principal=danone, method=create, requiredRoles=[END_USER], principalRoles=null
[Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Insufficient method permissions, principal=danone, method=create, requiredRoles=[END_USER], principalRoles=null
[Default] java.lang.SecurityException: Insufficient method permissions, principal=danone, method=create, requiredRoles=[END_USER], principalRoles=null
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:216)
[Default]
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(Security
I wrote my own login module that extends org.jboss.security.auth.spi.DatabaseServerLoginModule and the only method that I override is validatePassword(). Which as I said earlier appears to work because the JSP comes up with the correct principal and role.
Any suggestions