I hate to type this, but I?m having issues with JAAS caller principal propagation.
For what it?s worth, I am running 3.2.6 with a DatabaseLoginModule configured. I added the ClientLoginModule bit after reading some of the other posts here. Needless to say, I've tried removing and relocating it.
<application-policy name = "fusion"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name="debug">true</module-option> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="unauthenticatedIdentity">mikeh</module-option> <module-option name = "dsJndiName">java:/fusion</module-option> <module-option name = "principalsQuery">select Password from V_SYS_USER where UID=?</module-option> <module-option name = "rolesQuery">select Role, null from V_SYS_USER_ROLES where UID=?</module-option> </login-module> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> </authentication> </application-policy>
Basically, all my userID?s and Roles are working perfectly on the client side. I am happily authenticating via Jaas and can successfully check roles. All is well with the world in JSP land. My JSPs are secured by my security-domain and are using FORM based authentication.
The issue seems to be with propagating the authenticated Principal to the EJB world. I have my ejb-jar.xml entries set to
<security-identity><use-caller-identity/></security-identity>?, but the container is always interpreting the caller as the ?unauthenticatedIdentity? as defined in my Login Module.
SecurityInterceptor:checkSecurityAssociation(Invocation mi)is called, the principal is null. So by this stage I guess it hasn?t been able to obtain the <use-caller-identity>.
When the container gets around to
JaasSecurityManager: doesUserHaveRole() SubjectActions.getActiveSubject()returns the subject for the ?unauthenticatedIdentity? and all it?s associated roles. Authentication definitely works but only because an unauthenticatedIdentity has been supplied. If I remove it from login-conf.xml, then I can?t log in to my app, likewise if I remove critical roles. I?m sure I shouldn?t have to delve so deep in to the bowels of JBOSS to get this configured right?
I have read Chapter 8 and every post that seemed vaguely related to this issue (of which there are many!). But call me thick, it seems 2 steps forward 1 step back.
Any and all pointers gratefully accepted.