2 Replies Latest reply on Sep 13, 2004 10:06 AM by dorst1

    Endless Authentication Loop

    dorst1 Newbie

      I am trying to perform JAAS authentication logic through a call to an unprotected session bean (which is a part of a security domain which contains protected and unprotected beans). I know, that this is less than ideal, however I do not have a choice because it is part of a very large application and I need to harness custom framework logic that is built into the application ejb layer. In doing so, I find my self in an endless loop between my login module and the call to the unprotected session bean.

      Has anyone else tried this before, or know something I can do to fix the problem? The strange thing is that it was working under JBoss 3.2.3, however when I upgraded to version 3.2.5, I began to get the endless loop. I can not be 100% sure that the upgrade is to blame, because something could have changed in my app (we have many developers working on it) that could also be triggering the problem.


      More Details on my configuration:
      Login-Config

      <application-policy name = "desktop-app">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.AnonLoginModule"
       flag = "sufficient">
       <module-option name = "unauthenticatedIdentity">anonymous</module-option>
       </login-module>
      
       <login-module code="security.authentication.jaas.DesktopJBossLoginModule"
       flag = "sufficient" />
       </authentication>
      </application-policy>
      

      I put the AnonLoginModule first to allow JBoss to authenticate my login module's access to the unprotected bean so the endless loop does not happen.

      I am unsecuring beans by using the following tags inside the ejb.xml
      <method-permission>
       <unchecked/>
       <method>
       <ejb-name>SomeBeanName</ejb-name>
       <method-name>*</method-name>
       </method>
      </method-permission>
      


        • 1. Re: Endless Authentication Loop
          Scott Stark Master

          I don't know how this could have been working in 3.2.3. You cannot use a preceeding login module to provide an authenticated context to secured resources for subsequent login modules declared in the same configuration. JAAS authentication does not work that way. The overall collection of login modules has to execute in order for the to be a security context establish for use for ejb calls. The looping behavior is what I would expect.

          There are two execution modes for the given login module stack:
          1) an anonymous call is made and the unauthenticatedIdentity mode of the AnonLoginModule succeeds and the DesktopJBossLoginModule is never called.

          2) an call with a security context is made and the AnonLoginModule fails and the DesktopJBossLoginModule is executed. A call to an unchecked ejb still needs an authentication context. The only way this can work is by deploying the ejb used by the DesktopJBossLoginModule under a seperate security domain that allows anyone to access it. The jboss.xml descriptor allows for this so check the jboss_3_2.dtd for the syntax.

          You can file a bug report at sourceforge if you have a testcase that shows the looping on 3.2.5 but that works on 3.2.3 here:
          http://sourceforge.net/tracker/?group_id=22866&atid=376685

          • 2. Re: Endless Authentication Loop
            dorst1 Newbie

            Thanks Scott for the response. I was not aware that one could create multiple security domains in the same deployable jar file.