2 Replies Latest reply on Feb 13, 2003 3:31 PM by Peter Doornbosch

    Servlet Run-As & unauthenticatedIdentity

    Lewis Henderson Novice

      Hi,

      I've looked at hundreds of 'Security' posts, but can't find an answer.

      I want a servlet, which loads on startup to access EJB's. The servlet runs like a scheduler, checking things on a timed basis. A user may also hit the servlet from a browser to set params etc.

      1) I set the servlets run-as tag to a role that has rights to the EJB's.

      => I get the 'standard' principal=null exception.

      2) I also set the unauthenticated-principal in the EJB's jboss.xml

      => No effect?

      3) I remove 2) and add unauthenticatedIdentity to my login-config.xml

      => I now get further...however the isCallerInRole('run-as' role) returns false.


      What I really want is to have a load-on-startup servlet to have 'system' rights to EJB's without resorting to storing a user/pwd in the servlet init-param tags and executing a 'logon' in servlet init().

      I should be able to do this through declarative security only...shouldn't I?


      Lewis

        • 1. Re: Servlet Run-As & unauthenticatedIdentity
          Lewis Henderson Novice

          ...A little more info....

          1) The <unauthenticated-principal> is ignored if you specify a <security-domain> in your jboss.xml

          2) The security manager does not try to authenticate if the request comes from my load-on-startup servlet (no user interaction) and hence does not get either the <unauthenticated-principal> OR the unauthenticatedIdentity (specified in the login-config.xml) so throwing the 'standard' Insufficient method permissions, principal=null,... Exception. Without a principal, the <run-as> role is never checked.

          ...anybody any ideas?

          Lewis

          • 2. Re: Servlet Run-As & unauthenticatedIdentity
            Peter Doornbosch Apprentice

            > 2) The security manager does not try to authenticate
            > if the request comes from my load-on-startup servlet
            > (no user interaction) and hence does not get either
            > the <unauthenticated-principal> OR the
            > unauthenticatedIdentity (specified in the
            > login-config.xml) so throwing the 'standard'
            > Insufficient method permissions, principal=null,...
            > Exception. Without a principal, the <run-as> role is
            > never checked.

            Right. A servlet 'login' is triggered by a http request for a secured page. If you need security context set in a servlet, you need to do it yourself: i.e. perform a jaas login (with ClientLoginModule) or use JBoss specific API calls to set them. Please note that a jaas ClientLoginModule associates security context with the current thread only.

            Hth
            Peter

            Btw. i think JBoss comes with a timer-service (MBean) that can execute scheduled actions; maybe you can use this also.