10 Replies Latest reply on Nov 2, 2004 9:23 AM by peter neville

    Does security work on jboss 4?

    peter neville Newbie

      Hi,
      Thought I would as this as I have spent a day trying various configurations with little joy.
      I am simply trying to use basic authentication (configured in web.xml) and then use a policy for UsersRolesLoginModule. I have set up some secutiry on the EJB that the servlet is calling and get mixed results:

      The authentication is working from the servlet (i.e. login takes place and EJB is aware of the role and principal (sometimes).

      If I add permission to call the EJB's create method alone then I get the exception = Insufficient method permissions, principal=externaluser, method=processMsg, interface=LOCAL, requiredRoles=[], principalRoles=[external]
      So if required roles is empty, what is the problem?

      If I add permission to both the create and busness method (processMsg) for the same role I get:
      CreateException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=null, me
      thod=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[external]
      Strange as previously create was happy.

      If I add permission to the create and business method under different roles (but not giving the user this new role) I get:
      Insufficient method permissions, principal=externaluser, method=processMsg, interface=LOCAL, requiredRoles=[external1], principalRoles=[external]
      This sounds promising as it looks like I just need to add this role to the user.

      If I add the role 'external1' to the user I get:
      Insufficient method permissions, principal=null, me
      thod=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[external]
      Again strange as previosuly create was working!

      Help much appreciated...