1 Reply Latest reply on Oct 1, 2002 12:51 PM by J. Wolfgang Kaltz

    EJB Security Context Problems

    cfrostrun Newbie

      I'm teaching myself the ejb method security implementation, and I'm
      running into problems.... Perhaps somebody has the answer.

      I don't believe I have something setup correctly: I call this method
      from w/in all the methods I want to lock down. It is always throwing
      the exception b/c the isCallerInRole is false;

      private void security(String methodName)throws LDIException{
      LDILogger.info(methodName);
      if(requiredRole==null){
      LDILogger.warn(methodName);
      throw new LDIException("required role is not
      set", IExceptionCodes.ROLE_NOT_SET);
      }
      if(ctx==null){
      LDILogger.warn("Context is Null");
      }
      if(!ctx.isCallerInRole(requiredRole)){
      LDILogger.warn(methodName);
      throw new LDIException("Access to Enterprise
      Resource Denied: EJB Security", IExceptionCodes.EJB_SECURITY);
      }
      }

      If i add this line before the if clause, i get an exception:
      LDILogger.info(ctx.getCallerPrincipal().getName());
      exception reads:
      Embedded Exception
      No security context set; nested exception is:
      javax.ejb.EJBException: null
      Embedded Exception
      No security context set

      Here's my ejb-jar.xml file:

      <ejb-jar>
      <enterprise-beans>

      <ejb-name>security/UserManager</ejb-name>
      com.LiquidDataInc.ejb.security.UserManagerHome
      com.LiquidDataInc.ejb.security.UserManager
      <ejb-class>com.LiquidDataInc.ejb.security.UserManagerBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Bean</transaction-type>

      </enterprise-beans>
      <assembly-descriptor>
      <security-role>

      System Administrators, Full Access

      <role-name>SYS_ADMIN</role-name>
      </security-role>
      <method-permission>
      <role-name>SYS_ADMIN</role-name>


      <ejb-name>security/UserManager</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>load</method-name>
      <method-params>

      <method-param>long</method-param>
      </method-params>



      <ejb-name>security/UserManager</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>store</method-name>
      <method-params>
      <method-param></method-param>
      </method-params>



      <ejb-name>security/UserManager</ejb-name>
      <method-intf>Remote</method-intf>

      <method-name>getSearchResults</method-name>
      <method-params>

      <method-param>java.util.HashMap</method-param>
      </method-params>

      </method-permission>
      </assembly-descriptor>
      </ejb-jar>

      So can somebody help me?

      TIA,

      Chris

        • 1. Re: EJB Security Context Problems
          J. Wolfgang Kaltz Novice

          In JBoss 2.4.X you also need to provide a jboss.xml file within your deployment jar, in which you specify the security context. This security context refers to a JAAS login module, which is then executed when you try to access a secured bean.

          As long as you haven't successfully configured and executed a JAAS login module you won't have a security context set.

          I suggest you work through that JavaWorld JAAS article, the link has been given in several previous postings.

          By the way you don't want to write all that "required role" stuff within the Java code. That's the point of specifying the roles within the ejb-jar.xml stuff, so that the container handles to role checking for you.

          Good luck.