Authenticates as 'user' role, but can access 'admin' role me
jox72 Nov 13, 2002 9:18 AMI'm using MySQL to authenticate my application.
When a user logs in, he successfully can access 'user'-role jsp pages as configured in web-client.xml.
However, he can also access beans/methods with @ejb:permission set to 'admin'!
I have my security domain in jboss-web.xml set to:
<security-domain>java:/jaas/MySqlDbRealm</security-domain>
In login-conf.xml I have:
<application-policy name = "MySqlDbRealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">select password from users where loginname=?</module-option>
<module-option name = "rolesQuery">select role, 'Roles' from roles where loginname=?</module-option>
<!--
<module-option name = "principalsQuery">select password from users email where loginname=?</module-option>
<module-option name = "rolesQuery">select role, 'Roles' from roles where loginname=?</module-option>
-->
<module-option name = "unauthenticatedIdentiy">nobody</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MySqlDS</module-option>
</login-module>
</application-policy>
In mysql-service.xml I have:
<!--uncomment out this line if you are using the MySqlDbRealm above
MySqlDbRealm
-->
<depends optional-attribute-name="ManagedConnectionFactoryName">
<!--embedded mbean-->
MySqlDS
<config-property name="ConnectionURL" type="java.lang.String">jdbc:mysql://localhost:3306/mysite</config-property>
<config-property name="DriverClass" type="java.lang.String">org.gjt.mm.mysql.Driver</config-property>
<!--set these only if you want only default logins, not through JAAS -->
<config-property name="UserName" type="java.lang.String">dbuser</config-property>
<config-property name="Password" type="java.lang.String">dbpassword</config-property>
If I uncomment out the SecurityDomainJndiName I receives tons of Security Exceptions (Principal=null) when starting JBoss and no Beans are loaded. I guess this is the problem.
Let's say I don't use the EJB authentication at all - is my application 'safe enough' just because users cannot access the admin-role jsp pages (only the admin pages call methods that are intended for admin)?
How can I prevent users not in admin role to access a bean with methods @ejb:permission role-name="admin"? (that is, how do I get rid of the Principal=null problem when enabling the securityDomain?
I'm very thankful for any help!
-Joacim