2 Replies Latest reply on Jul 7, 2004 4:34 PM by Scott Stark

    servlet call EJB secured -> Authentication exception, princi

    Pedro Salazar Newbie

      Greetings,

      I'm trying to invoke a secured EJB (methods permission) in my servet but even with the run-as in my web.xml to set the role authorized in my EJB, I got always the error below:

      2004-07-01 21:19:52,661 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[ServiceServlet]: Servlet.service() for servlet ServiceServlet threw exception
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
       Authentication exception, principal=null
      


      My web.xml:
      <web-app>
       <servlet>
       <servlet-name>ServiceServlet</servlet-name>
       <display-name>Service HTTP/XML Servlet</display-name>
       <description>UIF Interface HTTP/XML</description>
       <servlet-class>pt.ptinovacao.nginpro.uif.http.ServiceServlet</servlet-class>
      
       <load-on-startup>5</load-on-startup>
       <run-as>
       <role-name>engine-user</role-name>
       </run-as>
       ...
       <security-role>
       <description>permission to execute UIF engine</description>
       <role-name>engine-user</role-name>
       </security-role>
      
       </servlet>
      </web-app>
      


      My ejb-jar.xml of my EJB:
      <ejb-jar >
      ...
       <method-permission >
       <description>role granted</description>
       <role-name>engine-user</role-name>
       <method >
       <description>create method</description>
       <ejb-name>ServiceManager</ejb-name>
       <method-intf>LocalHome</method-intf>
       <method-name>create</method-name>
       <method-params>
       </method-params>
       </method>
       </method-permission>
      </ejb-jar>
      


      Any help would be very appreciated.

      Regards,
      Pedro Salazar.

        • 1. Re: servlet call EJB secured -> Authentication exception, pr
          Pedro Salazar Newbie

          Hi,

          Apparently, the problem is not a failure of the role permission verification, but a problem of a null user authentication. I mean, I set the run-as role in my web.xml, but since I didn't defined any authentication in my web application, the principal was always null.

          I imagine the workflow something like this:

          1) User authentication
          2) role permission

          So, if the in step 1) there isn't any user, the role permission verification in 2) will always fail, probably because of this:

          java.security.Principal getCallerPrincipal()
          boolean isCallerInRole(String roleName)
          

          I workaround this by setting a dummy user in login-config.xml for the "other" profile to avoid the null principal:
           <authentication>
           <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag = "required" >
           <module-option name = "unauthenticatedIdentity">nobody</module-option>
          
           </login-module>
           </authentication>
          

          So, I would like to ask a new question:

          -How can I set a Principal in my servlet code for the JAAS authentication in a programatic way?

          If the Principal is null, then I set a dummy Principal, and using the "run-as" element in web.xml, I could solved the problem...

          The advantage is avoiding a specific JBOSS configuration, even I'm developing for JBOSS.

          Regards,
          Pedro Salazar.

          • 2. Re: servlet call EJB secured -> Authentication exception, pr
            Scott Stark Master

            You can't. There is no portable spec method for establishing the anonymous caller identity.