3 Replies Latest reply on Jan 21, 2006 10:37 AM by Anil Saldanha

    Unauthenticated security in EJBs

    Frank LaRosa Newbie

      From the FAQ:

      Q1: Why cannot I access an ejb that has unchecked method permissions?
      A1: The unchecked method permission only removes the requirement that the call have sufficient permissions in terms of roles. The caller still has to be an authenticated caller. If you don't care about caller authentication, use the unauthenticatedIdentity option of the security domain login module to grant anonymous callers a fixed identity.

      I (think I) did just what this says:

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="unauthenticatedIdentity">guest</module-option>
      <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>

      I still get:

      java.rmi.AccessException: SecurityException; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=SiteServices, method=create, interface=HOME, requiredRoles=[], principalRoles=[]

      Why "principal=null"? Shouldn't principle always be at least guest?

      I also tried adding this to my jboss.xml file, to no end:


      There are a couple of points I find confusing, though, so perhaps the answer to one of these

      questions will help solve the problem.

      (1) When I say I want unauthenticatedIdentity to be "guest", does there need to actually be a user named "guest" defined for my security realm (i.e. in this case, in my users.properties file)? I am closely following the examples in a book called "JBoss At Work", and their example doesn't show that there is a need for this. I did try addding such a user, but it didn't help.

      (2) In ejb-jar, I defined a security role "guest", as per the book:


      I then assigned "guest" security to my EJB:




      Is "guest" some kind of a reserved word in this case? If not, then I don't understand why a made-up user called "guest" would also have a role named "guest". Do I need to create a guest user in my properties file and give it a role called "guest"?

      I also tried it without the method-permission element; same result.

      Methods I've tagged as requiring an actual role do work when I'm logged in as a user with that role, so I'm doing something right. Just need to crack this guest thing.