2 Replies Latest reply on Jul 19, 2003 6:28 AM by James Richardson

    Principal is null in secured EJB

    James Richardson Newbie

      I've seen this raised many times in these forums but I can't find the answer I'm looking for!

      I have a web-app deployed with a security-domain, allowing users to log-in. The behaviour of some pages is changed according to whether the user is logged in or not.

      One of my jsps calls an EJB method, say, findSomething(). I wanted the behaviour of this to change based on whether the caller had a particular role.

      I added if ( isCallerInROle (foo) ), and got an error 'no security context active', so added a security-domain to the jboss.xml, and the appropriate security-role elements in the ejb-jar.xml.

      Now logged in users can get the required functionality. However non-logged-in users get a

      java.rmi.ServerException: EJBException:; nested exception is:
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Authentication exception, principal=null
      at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:346)

      error. I have tried adding an unauthenticated-principal element to the jboss.xml descriptor, but it seems to have no effect.

      If anybody can help me out here I would very much appreciate it!!!!

      Thanks!

      James

        • 1. Re: Principal is null in secured EJB
          Sebastian Hauer Newbie

          Hi James,

          > Now logged in users can get the required
          > functionality. However non-logged-in users get a
          >
          > java.rmi.ServerException: EJBException:; nested
          > exception is:
          > javax.ejb.EJBException: checkSecurityAssociation;
          > CausedByException is:
          > Authentication exception, principal=null
          > at
          > org.jboss.ejb.plugins.LogInterceptor.handleException(
          > ogInterceptor.java:346)

          I had this problem a few days ago. The thing is that jboss' security manager will check for user roles on all beans that are secured with a specified security domain in jboss.xml. It does not matter whether one of the method permissions is specified as or not.
          In order for the security mangers role check to succedd there has to be a principal (user) assigned to the method call even if the user is not authenticated.
          To achieve this you could add the
          org.jboss.security.auth.spi.AnonLoginModule with the module option unauthenticatedIdentity=guest to the application login policy for your web application.

          • 2. Re: Principal is null in secured EJB
            James Richardson Newbie

            Thanks! That worked like a charm!

            <application-policy name = "databaselogin">

            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
            <module-option name="dsJndiName">java:/defaultDS</module-option>
            <module-option name="principalsQuery">select user_password from users where user_name = ?</module-option>
            <module-option name="rolesQuery">select role_name, 'Roles' from users u, user_roles ur, roles r where u.user_name = ? and ur.user_id = u.user_id and ur.role_id = r.role_id</module-option>
            </login-module>
            <login-module flag="required" code="org.jboss.security.auth.spi.AnonLoginModule" >
            <module-option name="unauthenticatedIdentity">guest</module-option>
            </login-module>

            </application-policy>


            Hurrah!

            James