1 Reply Latest reply on Nov 10, 2001 3:38 PM by Ben Litchfield

    web security

    Ben Litchfield Newbie

      I have a simple application that uses the JBoss-2.4.3_Tomcat-3.2.3 dist.

      I am trying to get security working correctly such that my JSP can call my EJB and have the security information passed along.

      The problem is that in my jboss-web.xml file if I include the <security-domain>java:/jaas/other</security-domain> tag, (BASIC auth)then I get the browser login dialog and I enter my username and password hit OK and the dialog just comes back up.

      I see these messages in the console:
      [Default] User 'danone' authenticated.
      [DefaultDS] No transaction right now.
      [DefaultDS] Pool DefaultDS [1/1/10] gave out pooled object: org.jboss.pool.jdbc.
      xa.wrapper.XAConnectionImpl@32efa7
      [DefaultDS] Pool DefaultDS [0/1/10] returned object org.jboss.pool.jdbc.xa.wrapp
      er.XAConnectionImpl@32efa7 to the pool.

      Here is the kicker though, if I don't include the <security-domain> tag then it works correctly for the JSP. The only domain that I have defined in my auth.conf is 'other'. The JSP and EJB are secured to the role END_USER. So I get into my simple JSP and I print out the principal and check isUserInRole( "END_USER" ) and that works as it should. I then attempt to look up my EJB and get the following exception:

      [SimpleStateless] Insufficient method permissions, principal=danone, method=create, requiredRoles=[END_USER], principalRoles=null
      [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Insufficient method permissions, principal=danone, method=create, requiredRoles=[END_USER], principalRoles=null
      [Default] java.lang.SecurityException: Insufficient method permissions, principal=danone, method=create, requiredRoles=[END_USER], principalRoles=null
      [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:216)
      [Default]
      [Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(Security

      I wrote my own login module that extends org.jboss.security.auth.spi.DatabaseServerLoginModule and the only method that I override is validatePassword(). Which as I said earlier appears to work because the JSP comes up with the correct principal and role.

      Any suggestions