> I have a web application with a restricted area and
> an unrestricted area.
> The structure is the following:
> /secure (webapp)
> /secure/admin/ (secure area accesible only by the
> admin role) /secure/admin/page1.jsp
> /secure/page2.jsp (accesible by everyone)
> when i call page2.jsp directly without being
> authenticated first I get the following error:
_when_ do you get this error? In an EJB, or are you calling getRemoteUser() or....?
the reason can be this: if page2 is not secured (you said: without being authenticated first) no security context is set. using the unauthicated property doesn't help, because the system is not performing a login for un-secured pages...
Hope i made myself clear, if not let me know.
> java.lang.RuntimeException: checkSecurityAssociation;
> Authentication exception, principal=null
> I added the unauthenticatedIdentity property at my
> login mdule declaration but nothing changed.
> Any ideas or solutions about the problem would be
> very helpful!
> Korros Panagiotis.
> my login-config.xml contains:
> <application-policy name="secure">
Thanks for your reply.
For your first question the error occures in the ejb container.
Since i posted to this forum i played a litle and discovered that when i used the "IdentityLoginModule" i was able to call my ejb from both the unsecured and secured areas.
This means that the behaviour your describe aplies to "UsersRolesLoginModule". Am i right?
At the end my question still remains. how can i configure jboss so that i have limited access to my ejbs from the unrestricted area?
> Thanks for your reply.
You're welcome. ;-)
> Since i posted to this forum i played a litle and
> discovered that when i used the "IdentityLoginModule"
> i was able to call my ejb from both the unsecured and
> secured areas.
> This means that the behaviour your describe aplies to
> "UsersRolesLoginModule". Am i right?
This surprises me, because the behaviour i described is (as you'd expect of course) independent of the login module that is configured. I just checked, to make sure i'm not talking nonsense here, and my sample does not allow access to secured EJBs with IdentityLoginModule either. I also checked the source code (JBoss 3.0.3): it does not authenticate when no security constraint applies.
> At the end my question still remains. how can i
> configure jboss so that i have limited access to my
> ejbs from the unrestricted area?
I can only think of one solution: you have to set the security context yourself. More explanation and code sample can be found at http://www.luminis.nl/publications/websecurity.html