3 Replies Latest reply on Mar 3, 2004 4:54 AM by Scott Stark

    Security flaw in JBoss ?

    Joao Machado Newbie

      Hi,

      I have create some SLSBs with declarative security and a custom Login Module. I have a text mode client that uses JBoss client-login and needs to be (as expected) validated before I make some calls to the beans.

      But now, I'm developing a new client that is based in eclipse (eclipse plugin). With this one is possible to call my EJB methods without logging and even configuring the client-login module !! The security is ignored !

      In a eclipse plugin, because each plugin has it own classloader, we need to do this below, to properly create a EJBHome reference. Maybe the problem is there ! Anyone knows this problem ??

      protected EJBHome getSeviceHome(String serviceName, Class clazz)
      {
      
       //Change de ClassLoader for The Initial Context ClassLoader
       ClassLoader oldClassLoader = Tread.currentThread().getContextClassLoader();
       Thread.currentThread().setContextClassLoader(getContextClassLoader());
      
       try
       {
       Object objref = getInitialContext().lookup(serviceName);
       EJBHome home = (EJBHome) PortableRemoteObject.narrow(objref, clazz);
       return home;
       }
       catch (Throwable e)
       {
       log.fatal(e);
       return null;
       }
       finally
       {
       // reset the context classloader
       Thread.currentThread().setContextClassLoader(oldClassLoader);
       }
      }
      


        • 1. Re: Security flaw in JBoss ?
          Scott Stark Master

          Without a specfication and configuration of a security-domain in a jboss.xml descriptor there is no security. Validate that the eclipse plugin in correctly configuring the jboss.xml descriptor.

          • 2. Re: Security flaw in JBoss ?
            Joao Machado Newbie

            jboss.xml is correctly configured in the Server. I'm using a eclipse plugin as an EJB client.

            The problem is that my eclipse plugin client bypasses the security context that I have configured.
            But if I use my command-line client it works as expected (the login process must be done to call some method).

            Debugging my EJB I see that the principal in the session context is null when called by the eclipse plugin. But the method is called and works.

            ejb-jar.xml

            ...
             <method-permission >
             <description></description>
             <role-name>customer</role-name>
             <role-name>internal</role-name>
             <method >
             <description></description>
             <ejb-name>ProjectService</ejb-name>
             <method-name>*</method-name>
             </method>
             </method-permission>
            ...
            


            jboss.xml
            <jboss>
             <security-domain>java:/jaas/sinergia</security-domain>
             <enterprise-beans>
             <session>
             <ejb-name>ProjectService</ejb-name>
             <jndi-name>ProjectService</jndi-name>
             </session>
             </enterprise-beans>
             <resource-managers>
             </resource-managers>
            </jboss>
            


            • 3. Re: Security flaw in JBoss ?
              Scott Stark Master

              I don't use eclipse, so try the JBossIDE forum.