Hello,

I'm writing an account-manager app where users can register themselves so that they can authenticate themselves later with the information entered.

So I have a SessionBean (SUserBean) with two methods ("getNewUser" "storeNewUser") which everyone (especially unathenticated users) are allowed to call.
In addition I have a method "getUser" which returns the actual users data (to edit the own user profile).

So I placed method-permissions on the methods-to-secure, entered a name for "unauthenticated-principal" in jboss.xml and assigned method-permissions for this user to the two unsecure-methods.

But this doen't work - all I get are SecurityPermissions (principal=null) at the point where I create a new bean

(look dtds below)
I think there is a mapping mising between the user "NOBODY" and the role "UNATHENTICATED" but I didn't found anything where I can specifiy this. I also tried to use the same name but that didn't work, too.

Can anyone help me???

Thanks Michael

Here are my DDs: (compressed to security-relevant parts)

ejb-jar:
<ejb-jar>
<assembly-descriptor>
<security-role><role-name>AllUsersRole</role-name></security-role>
<security-role><role-name>UnauthenticatedRole</role-name></security-role>
<method-permission>
<role-name>AllUsersRole</role-name>

<ejb-name>SUserBean</ejb-name>
<method-name>getUser</method-name>


<ejb-name>SUserBean</ejb-name>
<method-name>store</method-name>
<method-params><method-param>IUserRW</method-param></method-params>

</method-permission>
<method-permission>
<role-name>UNATHENTICATED</role-name>

<ejb-name>SUserBean</ejb-name>
<method-name>createNew</method-name>


<ejb-name>SUserBean</ejb-name>
<method-name>ejbCreate</method-name>

</method-permission>
</assembly-descriptor>
</ejb-jar>


jboss.xml:

<security-domain>java:/jaas/myDomain</security-domain>
<unauthenticated-principal>NOBODY</unauthenticated-principal>