2 Replies Latest reply on Dec 2, 2003 9:54 AM by me1

    isCallerInRole() works in Servlet, but not in EJB

    me1 Newbie

      Hi,
      I'm implemeting the J2EE security in JBoss 3.2.2 with "UsersRolesLoginModule".
      Mapping the principal and it's role in the Servlet works fine. But in the EJB I've got just the principal and not it's asserted role.
      (The application (servlet - ejb) works)

      Output of Servlet:
      10:56:55,391 INFO [Security] SearchAction.execute(): Principal=a Roles=Manager,
      Output of EJB:
      10:57:01,941 INFO [Security] EJB.searchItem() Principal=a Roles=

      So what do I have to configurate that I get the users corresponding role?

      Any help is verry appreciated!

      Thanks, Andrea.


      Here is my current configuration:

      web.xml:
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      some description
      <url-pattern>/jsp/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Manager</role-name>
      <role-name>ProjectMember</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>myPlatform</realm-name>
      </login-config>
      <security-role>
      <role-name>Manager</role-name>
      </security-role>
      <security-role>
      <role-name>ProjectMember</role-name>
      </security-role>

      jboss-web.xml:
      <jboss-web>
      <security-domain>java:/jaas/myDomain</security-domain>
      <ejb-ref>
      <ejb-ref-name>ejb/Bean</ejb-ref-name>
      <jndi-name>jnp://localhost:1099/Bean</jndi-name>
      </ejb-ref>
      </jboss-web>

      ejb-jar.xml:
      <ejb-jar >
      -
      <enterprise-beans>

      -
      <display-name>mySample</display-name>

      <ejb-name>NGPLibrary</ejb-name>

      sample.library.ejb.interfaces.NGPLibraryHome
      sample.library.ejb.interfaces.NGPLibrary
      <ejb-class>sample.library.ejb.NGPLibraryBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      <security-role-ref>
      <role-name>Manager</role-name>
      <role-link></role-link>
      </security-role-ref>
      <security-role-ref>
      <role-name>ProjectMember</role-name>
      <role-link></role-link>
      </security-role-ref>

      </enterprise-beans>

      <assembly-descriptor >
      <security-role>
      -
      <role-name>Manager</role-name>
      </security-role>
      <security-role>
      -
      <role-name> ProjectMember</role-name>
      </security-role>

      <method-permission >
      -
      <role-name>Manager</role-name>
      <role-name> ProjectMember</role-name>

      -
      <ejb-name>NGPLibrary</ejb-name>
      <method-name>remove</method-name>
      <method-params>
      </method-params>

      ...

      jboss.xml:

      <security-domain>java:/jaas/myDomain</security-domain>
      <enterprise-beans>

      <ejb-name>NGPLibrary</ejb-name>
      <jndi-name>LibraryBean</jndi-name>

      </enterprise-beans>


      login-config.xml:
      <application-policy name="myDomain">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>

      </application-policy>

        • 1. Re: isCallerInRole() works in Servlet, but not in EJB
          Mikkel Heisterberg Newbie

          Try to see if the JAAS Subject contains the roles on the servlet side and on the EJB side using the same approach i.e. SecurityAssociation.getSubject(). The toString() of the Subject class shows the principal name and the list of roles:

          Subject s = SecurityAssociation.getSubject();
          System.out.println(s);

          This could help diagnose if the problem lies in the EJB / servlet role configuration or whether it's deeper.

          lekkim

          • 2. Re: isCallerInRole() works in Servlet, but not in EJB
            me1 Newbie

            Hi lekkim

            you were right!

            The output (principal and roles) was in servlet and EJB the same.
            I thought that it must be in my appl configuration and found it in the ejb-jar.xml
            <role-link></role-link> can't be empty as in web.xml ...

            Thank you verry much you really helped me!
            All the best,

            Andrea