4 Replies Latest reply on Mar 25, 2006 1:02 PM by Scott Stark

    @SecurityDomain Annotation clarification.

    Nikhil Koranne Newbie

      Hello,

      I am using JBoss4.0.3SP1 and EJB 3.0 . I am trying to use the Annotation approach for adding the SecurityDomain. (I am not using jboss.xml and ejb-jar.xml approach)

      I successfully able to perform the Authentication using the SRP implementation, but not able to perform Authorization.

      Here are the details of Annotation approach.
      I think my security domain class is not picked up by JBoss. So Unauthorized user also can able to access the method which is he is not supposed to access.

      For the annotation approach , I have used following
      tags for my bean class.

      @Stateless
      @SecurityDomain("DBLogin")
      public class UserMgmtServiceBean implements UserMgmtService

      and for the method in this class this is what I have written

      @RolesAllowed({ "ManageUsers"})
      public boolean addUser(Object obj) throws Exception
      {
      // calling the next addUser of the DAO class.
      }

      These are the contents of my login-config.xml file.

      <application-policy name="DBLogin">

      <login-module
      code="org.jboss.security.ClientLoginModule"
      flag="required">
      </login-module>
      <login-module
      code="org.jboss.security.srp.jaas.SRPCacheLoginModule"
      flag="required">
      <module-option
      name="cacheJndiName">srp/AuthenticationCache</module-option>
      </login-module>
      <login-module code="test.DatabaseRoleLoginModule"
      flag="required">
      <module-option
      name="password-stacking">useFirstPass</module-option>
      <module-option
      name="dsJndiName">java:/AMPDS</module-option>
      <module-option name="rolesQuery">SELECT
      TRIM(Roles.name), 'Roles' FROM
      Roles,GroupRoles,Groups,UserGroups,Users WHERE
      Roles.id=GroupRoles.roleID AND
      GroupRoles.groupID=Groups.id AND
      UserGroups.groupID=Groups.ID AND
      UserGroups.userID=Users.id AND
      Users.username=?</module-option>
      <module-option
      name="dbDriver">org.gjt.mm.mysql.Driver</module-option>
      <module-option
      name="dbURL">jdbc:mysql://localhost/TestDB</module-option>
      </login-module>

      </application-policy>

      DatabaseRoleLoginModule is my custom login module, but since I am not able to retrieve the roles, the Authorization is not happening ... Please let me know if there is any missing link.

      I have searched on the Developer's forum before posting this query., but could not able to find the related information.

      so in my case, a guest user who is not having the role ManageUsers is able to perform addUser operation.

      Any thoughts?

      Thanks
      Nik