1 Reply Latest reply on Apr 15, 2002 6:52 AM by Chris Harris

    must a user have roles?

    Chris Harris Newbie

      We have users authenticating against JBoss using ClientLoginModule on the client side and DatabaseServerLoginModule on the server side. A couple of things materialise when we try to login. (We're using 2.4.3, Win2K)

      1. A user can authenticate with just principal/password present in the Principals table, but any method call requires at least one role to be present for that user. We currently have all of our methods flagged as 'unchecked' so we can authenticate but then allow unfettered access to authenticated users, so we don't assign roles to users. This throws an error in DatabaseServerLoginModule.getRoleSets - stack trace follows

      javax.security.auth.login.FailedLoginException: No matching username found in Roles
      at org.jboss.security.auth.spi.DatabaseServerLoginModule.getRoleSets(DatabaseServerLoginModule.java:151)
      at org.jboss.security.auth.spi.AbstractServerLoginModule.commit(AbstractServerLoginModule.java:123)
      at java.lang.reflect.Method.invoke(Native Method)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:595)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
      at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:450)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:396)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:363)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:164)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:92)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
      at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:268)
      at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContainerInvoker.java:372)
      at java.lang.reflect.Method.invoke(Native Method)
      at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:236)
      at sun.rmi.transport.Transport$1.run(Transport.java:147)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.rmi.transport.Transport.serviceCall(Transport.java:143)
      at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
      at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
      at java.lang.Thread.run(Thread.java:479)

      If we add a role to the Roles table, to get round this problem, then we get another error indicating that the user doesn't have the role which seems to be a 'dummy' principal for unchecked exceptions. This happens in SecurityInterceptor, the last line of checkSecurityAssociation(). Presumably this is not added automatically to authenticated users' list of roles?

      So the question is - does a user *have* to have a role? Is it within spec (and I know 2.4.3 falls between two versions of the spec on this) to have users authenticated, have all methods unchecked, and therefore only allow authenticated users to call any method?