0 Replies Latest reply on May 17, 2005 6:03 PM by Fernando Gonçalves

    Security Roles not validated

    Fernando Gonçalves Newbie

      I've implemented a custom login module extending the org.jboss.security.auth.spi.UsernamePasswordLoginModule. I've implemented the methods getUsersPassword and getRoleSets. The authentication process runs well, but the authorization does not. After logon using JAAS I make calls to EJB methods that require security roles, and I get one principal=null on my EBJ SessionContext. I think that this is a propagation problem. In the method getRoleSets I have created one SimpleGroup named Roles and added to it two SimplePrincipals.

      Group[] groups = {new SimpleGroup("Roles")};
      SimplePrincipal role = new SimplePrincipal("R1");
      groups[0].addMember(role);
      role = new SimplePrincipal("R2");
      groups[0].addMember(role);

      In my ejb-jar.xml I have created the secury-role AuthorizedUser, and gave it permission to one method of one EJB

      <security-role>
      <role-name>AuthorizedUser</role-name>
      </security-role>

      <method-permission>
      <role-name>AuthorizedUser</role-name>
      < method >
      <ejb-name>FAQSession</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>getAllFaqs</method-name>
      <method-params></method-params>
      < /method >
      </method-permission>

      I was hopping that I would be forbidden to invoke this method but is executes fine, and it is in this EJB that I get principal=null in the sessionContext, after the authentication process, and after the method getRolesSets invocation by JAAS.

      I?m currently using JBoss 3.2.5

      Can anyone help me?