1 Reply Latest reply on Nov 14, 2002 7:47 AM by Joacim Larsson

    Authenticates as 'user' role, but can access 'admin' role me

    Joacim Larsson Newbie

      I'm using MySQL to authenticate my application.
      When a user logs in, he successfully can access 'user'-role jsp pages as configured in web-client.xml.
      However, he can also access beans/methods with @ejb:permission set to 'admin'!

      I have my security domain in jboss-web.xml set to:
      <security-domain>java:/jaas/MySqlDbRealm</security-domain>

      In login-conf.xml I have:
      <application-policy name = "MySqlDbRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name = "dsJndiName">java:/MySqlDS</module-option>
      <module-option name = "principalsQuery">select password from users where loginname=?</module-option>
      <module-option name = "rolesQuery">select role, 'Roles' from roles where loginname=?</module-option>
      <!--
      <module-option name = "principalsQuery">select password from users email where loginname=?</module-option>
      <module-option name = "rolesQuery">select role, 'Roles' from roles where loginname=?</module-option>
      -->
      <module-option name = "unauthenticatedIdentiy">nobody</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MySqlDS</module-option>
      </login-module>

      </application-policy>


      In mysql-service.xml I have:
      <!--uncomment out this line if you are using the MySqlDbRealm above
      MySqlDbRealm
      -->

      <depends optional-attribute-name="ManagedConnectionFactoryName">
      <!--embedded mbean-->


      MySqlDS



      <config-property name="ConnectionURL" type="java.lang.String">jdbc:mysql://localhost:3306/mysite</config-property>
      <config-property name="DriverClass" type="java.lang.String">org.gjt.mm.mysql.Driver</config-property>
      <!--set these only if you want only default logins, not through JAAS -->
      <config-property name="UserName" type="java.lang.String">dbuser</config-property>
      <config-property name="Password" type="java.lang.String">dbpassword</config-property>




      If I uncomment out the SecurityDomainJndiName I receives tons of Security Exceptions (Principal=null) when starting JBoss and no Beans are loaded. I guess this is the problem.

      Let's say I don't use the EJB authentication at all - is my application 'safe enough' just because users cannot access the admin-role jsp pages (only the admin pages call methods that are intended for admin)?

      How can I prevent users not in admin role to access a bean with methods @ejb:permission role-name="admin"? (that is, how do I get rid of the Principal=null problem when enabling the securityDomain?

      I'm very thankful for any help!

      -Joacim