1 Reply Latest reply on Sep 27, 2002 3:30 PM by Cindy Conway

    Permissions not working - being bypassed

    Sloan Seaman Newbie

      I am trying to implement JAAS for a few test beans that I have.

      I have a client app that runs in a seperate VM and will eventually run on a seperate machine.

      My issues is that is just seems to be letting everything through.

      I do not even have the database tables made for the DatabaseServerLoginModule and it still works.

      For the client app I have the following auth.conf (located in an app specific location):
      LeagueCentral {
      // JBoss LoginModule
      org.jboss.security.ClientLoginModule required;
      }

      On the server side I have an auth.conf in server//conf:
      other {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/MySqlDS2"
      principalsQuery="select Password from Principals where PrincipalID=?"
      rolesQuery="select Role, RoleGroup from Roles where PrincipalID=?"
      unathenticatedIdentity=nobody
      ;
      };

      In my ejb-jar for the beans I have:
      <assembly-descriptor>
      <security-role>
      Access control from all Remote Clients
      <role-name>RemoteClient</role-name>
      </security-role>

      <method-permission>
      <role-name>RemoteClient</role-name>

      <ejb-name>User</ejb-name>
      <method-name>getEmailAddress</method-name>

      </method-permission>

      <exclude-list>

      <ejb-name>User</ejb-name>
      <method-name>getPassword</method-name>

      </exclude-list>
      </assembly-descriptor>


      The client is able to use getPassword() even though I have it defined otherwise.

      I'm a bit new to JAAS so any help at all would be great.

      Thanks!

        • 1. Re: Permissions not working - being bypassed
          Cindy Conway Newbie

          Have you tried putting a security-domain in your jboss.xml file?


          <security-domain>java:/jaas/MyDomain</security-domain>
          ...


          The way I understand it, by placing this in the jboss.xml, you specify that the application is secured under the MyDomain domain. Then, in your auth.conf file on the server, create a section called "MyDomain" like this:

          MyDomain {
          ... your security setup ...
          };


          Each bean in the jboss.xml file will then be authenticated with the login modules in the MyDomain configuration.

          Good Luck!