3 Replies Latest reply on Feb 4, 2003 5:43 PM by Peter Doornbosch

    Does unathenticatedIdentity work in JBoss 3.0.x?

    Panagiotis Korros Newbie

      I have a web application with a restricted area and an unrestricted area.

      The structure is the following:

      /secure (webapp)
      /secure/admin/ (secure area accesible only by the admin role) /secure/admin/page1.jsp
      /secure/page2.jsp (accesible by everyone)

      page1.jsp and page2.jsp call the same ejb (marked us unchecked). when i call page1.jsp the system authenticates me and then everything works ok.

      when i call page2.jsp directly without being authenticated first I get the following error:

      java.lang.RuntimeException: checkSecurityAssociation; CausedByException
      is:
      Authentication exception, principal=null

      I added the unauthenticatedIdentity property at my login mdule declaration but nothing changed.

      Any ideas or solutions about the problem would be very helpful!

      Korros Panagiotis.




      my login-config.xml contains:

      <application-policy name="secure">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag="required">
      <module-option name="unauthenticatedIdentity">nobody</module-option>
      </login-module>

      </application-policy>

        • 1. Re: Does unathenticatedIdentity work in JBoss 3.0.x?
          Peter Doornbosch Apprentice

          > I have a web application with a restricted area and
          > an unrestricted area.
          >
          > The structure is the following:
          >
          > /secure (webapp)
          > /secure/admin/ (secure area accesible only by the
          > admin role) /secure/admin/page1.jsp
          > /secure/page2.jsp (accesible by everyone)
          >
          > when i call page2.jsp directly without being
          > authenticated first I get the following error:

          _when_ do you get this error? In an EJB, or are you calling getRemoteUser() or....?

          the reason can be this: if page2 is not secured (you said: without being authenticated first) no security context is set. using the unauthicated property doesn't help, because the system is not performing a login for un-secured pages...

          Hope i made myself clear, if not let me know.
          Peter.


          >
          > java.lang.RuntimeException: checkSecurityAssociation;
          > CausedByException
          > is:
          > Authentication exception, principal=null
          >
          > I added the unauthenticatedIdentity property at my
          > login mdule declaration but nothing changed.
          >
          > Any ideas or solutions about the problem would be
          > very helpful!
          >
          > Korros Panagiotis.
          >
          >
          >
          >
          > my login-config.xml contains:
          >
          > <application-policy name="secure">
          >
          > <login-module
          &gt; le
          &gt; code="org.jboss.security.auth.spi.UsersRolesLoginModul
          &gt; "
          &gt; flag="required">
          > <module-option
          &gt; ion
          &gt; name="unauthenticatedIdentity">nobody</module-option>
          > </login-module>
          >
          > </application-policy>

          • 2. Re: Does unathenticatedIdentity work in JBoss 3.0.x?
            Panagiotis Korros Newbie

            Thanks for your reply.

            For your first question the error occures in the ejb container.

            Since i posted to this forum i played a litle and discovered that when i used the "IdentityLoginModule" i was able to call my ejb from both the unsecured and secured areas.

            This means that the behaviour your describe aplies to "UsersRolesLoginModule". Am i right?

            At the end my question still remains. how can i configure jboss so that i have limited access to my ejbs from the unrestricted area?

            • 3. Re: Does unathenticatedIdentity work in JBoss 3.0.x?
              Peter Doornbosch Apprentice

              > Thanks for your reply.
              You're welcome. ;-)

              > Since i posted to this forum i played a litle and
              > discovered that when i used the "IdentityLoginModule"
              > i was able to call my ejb from both the unsecured and
              > secured areas.
              > This means that the behaviour your describe aplies to
              > "UsersRolesLoginModule". Am i right?

              This surprises me, because the behaviour i described is (as you'd expect of course) independent of the login module that is configured. I just checked, to make sure i'm not talking nonsense here, and my sample does not allow access to secured EJBs with IdentityLoginModule either. I also checked the source code (JBoss 3.0.3): it does not authenticate when no security constraint applies.

              > At the end my question still remains. how can i
              > configure jboss so that i have limited access to my
              > ejbs from the unrestricted area?

              I can only think of one solution: you have to set the security context yourself. More explanation and code sample can be found at http://www.luminis.nl/publications/websecurity.html

              Hth,
              Peter.