1 Reply Latest reply on Sep 15, 2003 11:04 AM by davidsills

Cannot find roles from database

davidsills Sep 15, 2003 10:55 AM

I'm using jboss-3.0.4_tomcat-4.1.12 and am having a problem with the DatabaseLoginModule. I have read and read, and am baffled.

I want access to my test bean restricted to the "admn" role. The test works perfectly if I use:

<application-policy name = "databaseModule">

<login-module code = "org.jboss.security.auth.spi.IdentityLoginModule"
flag = "sufficient">
<module-option name="principal">msmolyak</module-option>
<module-option name="roles">admin</module-option>
</login-module>

</application-policy>

Thus I know that if my application can retrieve the principal name "msmolyak" and the associated role "admin" all will be well. The problem is, the database module can't seem to do this.

This is my login configuration:

<application-policy name = "databaseModule">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "sufficient">
<module-option name="dsJndiName">java:/ExtDbDS</module-option>
<module-option name="principalsQuery">
select * from dsills.users where user_name = ?
</module-option>
<module-option name="rolesQuery">
select * from dsills.roles where user_name = ?
</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.ClientLoginModule" flag="required"/>
<login-module code="org.jboss.security.auth.spi.AnonLoginModule" flag="sufficient">
<module-option name="unauthenticatedIdentity">ANYBODY</module-option>
</login-module>

</application-policy>

If I use the roles query:

select * from dsills.roles where user_name = 'msmolyak'

the result is:

msmolyak,admin,Roles

but when I try to login using msmolyak, I get this error:

2003-09-15 12:41:59,343 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=msmolyak, method=create, interface=HOME, requiredRoles=[admin], principalRoles=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:228)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129)
at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300)
at org.jboss.ejb.Container.invoke(Container.java:730)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517)
at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:382)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
at sun.rmi.transport.Transport$1.run(Transport.java:148)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:536)

It looks as though I have been authenticated as msmolyak, but my roles could not be retrieved. What am I missing? I've bashed my head against this for three days, and I'd appreciate any advice. Thanks!

1. Re: Cannot find roles from database

davidsills Sep 15, 2003 11:04 AM (in response to davidsills)

Never mind. The problem was with the JBoss 3.0 Deployment and Administration Handbook. It said I had to have back a username column in the roles query. I finally found a posting in this forum that indicated that it should just return , 'Roles'. This works great, so far.
Actions