8 Replies Latest reply on Jul 21, 2006 7:27 AM by Victor Denisov

    Problem accessing EJB unchecked method from a servlet (with

    Victor Denisov Newbie

      Hello, I'm stuck at the following problem. I have one EJB module and two web apps inside a single ear. Relevant parts of configuration files follow:

      From jboss.xml:

      <security-domain>java:/jaas/db_store</security-domain>
      


      From ejb-jar.xml:
       <method-permission>
       <unchecked/>
       <method>
       <ejb-name>ModerEJB</ejb-name>
       <method-intf>Home</method-intf>
       <method-name>create</method-name>
       </method>
       </method-permission>
      


      From jboss-web.xml #1:
      <security-domain>java:/jaas/db_store</security-domain>
      


      From jboss-web.xml #2:
      <security-domain>java:/jaas/other</security-domain>
      


      From login-config.xml:
       <application-policy name="db_store">
       <authentication>
      
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName">
       DS/Standard
       </module-option>
       <module-option name="principalsQuery">
       SELECT usr_password FROM users WHERE usr_login = ?
       </module-option>
       <module-option name="rolesQuery">
       SELECT 'CommonUser', 'Roles' FROM users WHERE usr_login = ?
       </module-option>
       <module-option name="hashAlgorithm">SHA1</module-option>
       <module-option name="hashEncoding">hex</module-option>
       <module-option name="ignorePasswordCase">true</module-option>
       <module-option name="unauthenticatedIdentity">nobody</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <application-policy name = "other">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="unauthenticatedIdentity">nobody</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      The bean itself is constructed by a helper (BeanHelper), located inside the ejb module - don't know if it makes a difference.

      Now, on to the problem. I have a servlet in web app #2, which tries to create a bean (by calling an unchecked create() method). Only authorised users have access to the servlet (through BASIC authorization, if it matters). When the call to create() is made, it fails with the following exception (parts skipped for clarity):

      java.rmi.AccessException: SecurityException; nested exception is:
       javax.security.auth.login.FailedLoginException: No matching username found in Principals
       at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
       at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:136)
      ...
       at ru.singlecity.ejb.BeanHelper.getModerBean(BeanHelper.java:216)
      ...
      Caused by: javax.security.auth.login.FailedLoginException: No matching username found in Principals
       at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:152)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206)
      ...
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
       at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211)
       at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:135)
       at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
       ... 47 more
      


      So - what am I doing wrong? The principal is already set (by the web app) and access to the method of the bean is set to unchecked... If the principal wasn't passed on to the EJB, it would've caused a different exception (see item #1 in the FAQ), but it hadn't. Any help would be greatly appreciated!

      With best regards,
      Victor Denisov.