Hello,
I'm writing an account-manager app where users can register themselves so that they can authenticate themselves later with the information entered.
So I have a SessionBean (SUserBean) with two methods ("getNewUser" "storeNewUser") which everyone (especially unathenticated users) are allowed to call.
In addition I have a method "getUser" which returns the actual users data (to edit the own user profile).
So I placed method-permissions on the methods-to-secure, entered a name for "unauthenticated-principal" in jboss.xml and assigned method-permissions for this user to the two unsecure-methods.
But this doen't work - all I get are SecurityPermissions (principal=null) at the point where I create a new bean
(look dtds below)
I think there is a mapping mising between the user "NOBODY" and the role "UNATHENTICATED" but I didn't found anything where I can specifiy this. I also tried to use the same name but that didn't work, too.
Can anyone help me???
Thanks Michael
Here are my DDs: (compressed to security-relevant parts)
ejb-jar:
<ejb-jar>
<assembly-descriptor>
<security-role><role-name>AllUsersRole</role-name></security-role>
<security-role><role-name>UnauthenticatedRole</role-name></security-role>
<method-permission>
<role-name>AllUsersRole</role-name>
<ejb-name>SUserBean</ejb-name>
<method-name>getUser</method-name>
<ejb-name>SUserBean</ejb-name>
<method-name>store</method-name>
<method-params><method-param>IUserRW</method-param></method-params>
</method-permission>
<method-permission>
<role-name>UNATHENTICATED</role-name>
<ejb-name>SUserBean</ejb-name>
<method-name>createNew</method-name>
<ejb-name>SUserBean</ejb-name>
<method-name>ejbCreate</method-name>
</method-permission>
</assembly-descriptor>
</ejb-jar>
jboss.xml:
<security-domain>java:/jaas/myDomain</security-domain>
<unauthenticated-principal>NOBODY</unauthenticated-principal>
Sorry - "UNAUTHENTICATED" is spelled in both "role-name"-tags. So that could not be the problem