7 Replies Latest reply on Jul 12, 2006 1:46 AM by jaikiran pai

    Problem extending Web security to EJBs

    Frank LaRosa Newbie

      Hello,

      I am able to set up accounts and protect web resources in my application, but I'm unable to figure out how to protect my EJBs.

      Here is what I have done so far:

      (1) I created users.properties and roles.properties files, and deployed them to the ".ear" directory.

      (2) I did not create any jboss-web.xml file, so my default security realm ought to be the one defined in the jboss-service.xml file in the Tomcat directory; i.e. java:/jaas/other.

      (3) I added all of this to my web.xml file:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Administrative</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Producer</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>default</realm-name>
      </login-config>

      <security-role>
      Website producers
      <role-name>Producer</role-name>
      </security-role>

      So far this does what I want: when I try to access any web resource at or below /admin, I'm prompted for a login. Entering a name and password from the users.properties file which has the Producer role lets me in.

      Next, I want to assign the same protection to some EJB methods, so I did this:

      (1) I created a jboss.xml file and typed this into it:


      <security-domain>java:/jaas/other</security-domain>


      (2) I deployed the jboss.xml file to my EJB's META-INF directory (same place as ejb-jar.xml).

      (3) I modified my ejb-jar.xml file as follows:

      <security-role>
      <role-name>Producer</role-name>
      </security-role>

      <method-permission>
      <role-name>Producer</role-name>

      <ejb-name>DataServices</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      (4) I added this code to my EJB client application, which runs outside of the JBoss container:

      ht.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
      ht.put(Context.PROVIDER_URL, args[0]);
      ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
      ht.put(Context.SECURITY_PRINCIPAL, username);
      ht.put(Context.SECURITY_CREDENTIALS, password);
      ht.put(Context.SECURITY_AUTHENTICATION, "simple");

      Regardless of what username and password I pass here - valid or invalid - I get this exception when I try to call the create() method on the EJB's home object:

      java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      java.rmi.AccessException: SecurityException; nested exception is:
      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

      It would seem that while JBoss has correctly figured out that some sort of login is required to access the EJB, it does not recognize the supplied credentials.

      Any advice would be appreciated, thanks.

      Frank

        • 2. Re: Problem extending Web security to EJBs
          Frank LaRosa Newbie

          Hi Scott,

          Thanks for the reply. I wasn't sure which factory to use, so I tried them both.

          With JndiLoginInitialContextFactory, I get:
          Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/security/jndi/SecurityAssociationActions

          I can't seem to locate that class - it isn't in jbossall-client.jar.

          With LoginInitialContextFactory, I get:
          java.lang.SecurityException: Unable to locate a login configuration

          I didn't see anything about having to have a login configuration in the FAQ.

          What should I be passing for Security Protocol? Does it expect just the name of the JAAS module, or does it want the whole path?

          • 3. Re: Problem extending Web security to EJBs
            Scott Stark Master

             

            [sstark@sstark tutorial]$ jar -tf /cvs/Releases/jboss-4.0.3SP1/client/jbossall-
            client.jar | grep JndiLoginInitialContextFactory
            org/jboss/security/jndi/JndiLoginInitialContextFactory.class
            


            http://wiki.jboss.org/wiki/Wiki.jsp?page=LoginInitialContextFactory

            • 4. Re: Problem extending Web security to EJBs
              Frank LaRosa Newbie

              Thanks. I did read that Wiki page earlier. That class is in fact in the jar and the jar is in in my classpath, so I can't figure out why I'm getting a NoClassDefFoundError.

              Can you elaborate on what the value of Context.SECURITY_PROTOCOL should be? The doc says "name of the JAAS login module". Should I put "java:/jaas/other" for this? Or just "other"? I tried them both, but I'm not getting past the NoClassDefFound problem.

              Here's the rest of the stack trace:
              Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/security/jndi/SecurityAssociationActions
              at org.jboss.security.jndi.JndiLoginInitialContextFactory.getInitialContext(JndiLoginInitialContextFactory.java:64)
              at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
              at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
              at javax.naming.InitialContext.init(InitialContext.java:223)
              at javax.naming.InitialContext.(InitialContext.java:197)

              • 5. Re: Problem extending Web security to EJBs
                Frank LaRosa Newbie

                I have also noticed that as soon as I added the security-domain element to my jboss.xml file, it broke the rest of my application because now all the EJB methods require security to access them, not just the ones I marked.

                I tried marking the rest as "guest", but this is no help.

                • 6. Re: Problem extending Web security to EJBs
                  warren crossing Newbie

                  Release ID: JBoss [Zion] 4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)

                  As soon as I add
                  <security-domain>java:/jaas/CLICK2CALL</security-domain> to jboss.xml

                  I get

                  java.lang.SecurityException: Insufficient method permissions, principal=admin, ejbName=CallControlBean, method=create, interface=HOME, requiredRoles=[], principalRoles=[admin]

                  Even when there are no roles or method-permissions defined. I think this is a bug.

                  • 7. Re: Problem extending Web security to EJBs
                    jaikiran pai Master

                    You have to *explicitly* add the

                    <unchecked/>
                    tag as part of method permissions to your bean. Something like:

                    <method-permission>
                    
                    <unchecked/>
                    
                     <method>
                     <ejb-name>MyBean</ejb-name>
                     <method-name>*</method-name>
                     </method>
                    </method-permission>