2 Replies Latest reply on Jul 24, 2002 11:52 AM by feeling

    Authorization problem

    feeling
    feeling Jul 23, 2002 2:53 PM

      Hello,

      I have 2 login modules in my security domain: 1st is a UsersRolesLoginModule (sufficient) and 2nd is a LDAPLoginModule (required). There is only admin user in the User/Roles properties files and the rest of the user database is in the LDAP server.

      I tried to authenticate the user "john" in LDAP and the login() was successful. However, when a secured EJB method was called, I got the following error:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=john, method=create, requiredRoles=[Administrators, InternalRole, Viewers], principalRoles=[]

      The user "john" has the Administrators role in the LDAP server. I am puzzled by why the roles of john was not propagated to the Security Manager? If I removed the 1st login module and used only the LDAPLoginModule in my domain, JBoss was able to return "john"'s roles and granted authorization.

      Does anyone know where my mistakes are?

      Thanks,
      Fee

      • 2988 Views
      • Tags:
        • 1. Re: Authorization problem
          jwkaltz
          jwkaltz Jul 24, 2002 3:31 AM (in response to feeling)

          Hi, I've never tried 2 login modules for the same domain, but reading your post, it seems to me : if the first LoginModule is sufficient, then I would think it doesn't even look at the second:
          in the JAAS API I read the following :
          " The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed."
          (Class Configuration)

          Order is important. So if I understand you correctly, to achieve what you want, you would simple need to reverse the order of the 2 modules in the auth.conf

            • Actions
          • 2. Re: Authorization problem
            feeling
            feeling Jul 24, 2002 11:52 AM (in response to feeling)

            Hi,

            The authentication works fine. The user "john" failed the first login module but succeeded in the second. You can see that in the message where principal=john.

            The problem is there was no roles attached to the principal (principalRoles=[]) and I know that "john" has been assigned three roles in the LDAP server (tested with only LDAPLoginModule in one domain and authorization worked okay).

            I think it has to do with the configuration flags of the 2 login modules......Help.

            Fee

              • Actions