3 Replies Latest reply on Mar 3, 2004 4:54 AM by Scott Stark

    Security flaw in JBoss ?

    Joao Machado Newbie


      I have create some SLSBs with declarative security and a custom Login Module. I have a text mode client that uses JBoss client-login and needs to be (as expected) validated before I make some calls to the beans.

      But now, I'm developing a new client that is based in eclipse (eclipse plugin). With this one is possible to call my EJB methods without logging and even configuring the client-login module !! The security is ignored !

      In a eclipse plugin, because each plugin has it own classloader, we need to do this below, to properly create a EJBHome reference. Maybe the problem is there ! Anyone knows this problem ??

      protected EJBHome getSeviceHome(String serviceName, Class clazz)
       //Change de ClassLoader for The Initial Context ClassLoader
       ClassLoader oldClassLoader = Tread.currentThread().getContextClassLoader();
       Object objref = getInitialContext().lookup(serviceName);
       EJBHome home = (EJBHome) PortableRemoteObject.narrow(objref, clazz);
       return home;
       catch (Throwable e)
       return null;
       // reset the context classloader

        • 1. Re: Security flaw in JBoss ?
          Scott Stark Master

          Without a specfication and configuration of a security-domain in a jboss.xml descriptor there is no security. Validate that the eclipse plugin in correctly configuring the jboss.xml descriptor.

          • 2. Re: Security flaw in JBoss ?
            Joao Machado Newbie

            jboss.xml is correctly configured in the Server. I'm using a eclipse plugin as an EJB client.

            The problem is that my eclipse plugin client bypasses the security context that I have configured.
            But if I use my command-line client it works as expected (the login process must be done to call some method).

            Debugging my EJB I see that the principal in the session context is null when called by the eclipse plugin. But the method is called and works.


             <method-permission >
             <method >


            • 3. Re: Security flaw in JBoss ?
              Scott Stark Master

              I don't use eclipse, so try the JBossIDE forum.