2 Replies Latest reply on Jul 7, 2004 4:34 PM by Scott Stark

    servlet call EJB secured -> Authentication exception, princi

    Pedro Salazar Newbie


      I'm trying to invoke a secured EJB (methods permission) in my servet but even with the run-as in my web.xml to set the role authorized in my EJB, I got always the error below:

      2004-07-01 21:19:52,661 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[ServiceServlet]: Servlet.service() for servlet ServiceServlet threw exception
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
       Authentication exception, principal=null

      My web.xml:
       <display-name>Service HTTP/XML Servlet</display-name>
       <description>UIF Interface HTTP/XML</description>
       <description>permission to execute UIF engine</description>

      My ejb-jar.xml of my EJB:
      <ejb-jar >
       <method-permission >
       <description>role granted</description>
       <method >
       <description>create method</description>

      Any help would be very appreciated.

      Pedro Salazar.

        • 1. Re: servlet call EJB secured -> Authentication exception, pr
          Pedro Salazar Newbie


          Apparently, the problem is not a failure of the role permission verification, but a problem of a null user authentication. I mean, I set the run-as role in my web.xml, but since I didn't defined any authentication in my web application, the principal was always null.

          I imagine the workflow something like this:

          1) User authentication
          2) role permission

          So, if the in step 1) there isn't any user, the role permission verification in 2) will always fail, probably because of this:

          java.security.Principal getCallerPrincipal()
          boolean isCallerInRole(String roleName)

          I workaround this by setting a dummy user in login-config.xml for the "other" profile to avoid the null principal:
           <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag = "required" >
           <module-option name = "unauthenticatedIdentity">nobody</module-option>

          So, I would like to ask a new question:

          -How can I set a Principal in my servlet code for the JAAS authentication in a programatic way?

          If the Principal is null, then I set a dummy Principal, and using the "run-as" element in web.xml, I could solved the problem...

          The advantage is avoiding a specific JBOSS configuration, even I'm developing for JBOSS.

          Pedro Salazar.

          • 2. Re: servlet call EJB secured -> Authentication exception, pr
            Scott Stark Master

            You can't. There is no portable spec method for establishing the anonymous caller identity.