3 Replies Latest reply on Jun 7, 2005 8:50 PM by monowai

    Sorry, but another prinicpal propegation issue

    monowai Newbie

      I hate to type this, but I?m having issues with JAAS caller principal propagation.

      For what it?s worth, I am running 3.2.6 with a DatabaseLoginModule configured. I added the ClientLoginModule bit after reading some of the other posts here. Needless to say, I've tried removing and relocating it.

      <application-policy name = "fusion">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name="debug">true</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="unauthenticatedIdentity">mikeh</module-option>
       <module-option name = "dsJndiName">java:/fusion</module-option>
       <module-option name = "principalsQuery">select Password from V_SYS_USER where UID=?</module-option>
       <module-option name = "rolesQuery">select Role, null from V_SYS_USER_ROLES where UID=?</module-option>
       </login-module>
       <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module>
       </authentication>
       </application-policy>


      Basically, all my userID?s and Roles are working perfectly on the client side. I am happily authenticating via Jaas and can successfully check roles. All is well with the world in JSP land. My JSPs are secured by my security-domain and are using FORM based authentication.

      The issue seems to be with propagating the authenticated Principal to the EJB world. I have my ejb-jar.xml entries set to
      <security-identity><use-caller-identity/></security-identity>
      ?, but the container is always interpreting the caller as the ?unauthenticatedIdentity? as defined in my Login Module.

      When
      SecurityInterceptor:checkSecurityAssociation(Invocation mi)
      is called, the principal is null. So by this stage I guess it hasn?t been able to obtain the <use-caller-identity>.

      When the container gets around to
      JaasSecurityManager: doesUserHaveRole()
      SubjectActions.getActiveSubject()
      returns the subject for the ?unauthenticatedIdentity? and all it?s associated roles. Authentication definitely works but only because an unauthenticatedIdentity has been supplied. If I remove it from login-conf.xml, then I can?t log in to my app, likewise if I remove critical roles. I?m sure I shouldn?t have to delve so deep in to the bowels of JBOSS to get this configured right?

      I have read Chapter 8 and every post that seemed vaguely related to this issue (of which there are many!). But call me thick, it seems 2 steps forward 1 step back.

      Any and all pointers gratefully accepted.

      Thx
      Mike