2 Replies Latest reply on Jul 24, 2002 11:52 AM by Fee Ling Chin

    Authorization problem

    Fee Ling Chin Newbie


      I have 2 login modules in my security domain: 1st is a UsersRolesLoginModule (sufficient) and 2nd is a LDAPLoginModule (required). There is only admin user in the User/Roles properties files and the rest of the user database is in the LDAP server.

      I tried to authenticate the user "john" in LDAP and the login() was successful. However, when a secured EJB method was called, I got the following error:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=john, method=create, requiredRoles=[Administrators, InternalRole, Viewers], principalRoles=[]

      The user "john" has the Administrators role in the LDAP server. I am puzzled by why the roles of john was not propagated to the Security Manager? If I removed the 1st login module and used only the LDAPLoginModule in my domain, JBoss was able to return "john"'s roles and granted authorization.

      Does anyone know where my mistakes are?


        • 1. Re: Authorization problem
          J. Wolfgang Kaltz Novice

          Hi, I've never tried 2 login modules for the same domain, but reading your post, it seems to me : if the first LoginModule is sufficient, then I would think it doesn't even look at the second:
          in the JAAS API I read the following :
          " The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed."
          (Class Configuration)

          Order is important. So if I understand you correctly, to achieve what you want, you would simple need to reverse the order of the 2 modules in the auth.conf

          • 2. Re: Authorization problem
            Fee Ling Chin Newbie


            The authentication works fine. The user "john" failed the first login module but succeeded in the second. You can see that in the message where principal=john.

            The problem is there was no roles attached to the principal (principalRoles=[]) and I know that "john" has been assigned three roles in the LDAP server (tested with only LDAPLoginModule in one domain and authorization worked okay).

            I think it has to do with the configuration flags of the 2 login modules......Help.