3 Replies Latest reply on Apr 12, 2007 7:16 AM by david malec

    Declarative security in JBoss - Annotations and XML file com

    david malec Newbie

      Hello everybody

      I have a problem with declarative security configuration in application. Finally I configured JAAS authentication/authorization for some of my EJB's using anntations like @SecurityDomain etc. It works properly.

      I have configured login-config :

      <application-policy name = "kusssdemo-policy">

      <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"/>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name = "dsJndiName">java:/kusssdemo</module-option>
      <module-option name = "principalsQuery">...</module-option>
      <module-option name = "rolesQuery">...</module-option>
      <module-option name="unauthenticatedIdentity">guest</module-option>
      </login-module>

      </application-policy>

      It's a swing application and I use custom ClientLoginModule to perform authentication (but for this case it doesn't matter I think)

      But now I need to declare security in DD (ejb-jar.xml). I want to use the same roles, which I retrieve from DatabaseServerLoginModule to protect method from other EJB's.


      my ejb-jar is :
      <ejb-jar>
      ....
      <enterprise-beans>

      <ejb-name>DegreeBusinessLogicBean</ejb-name>
      <ejb-class>at.jku.kusss.degreemngt.degree.facade.DegreeBusinessLogicBean</ejb-class>
      <session-type>Stateless</session-type>
      <security-identity>
      <run-as>
      <role-name>admin</role-name>
      </run-as>
      </security-identity>

      </enterprise-beans>
      <assembly-descriptor>
      <security-role>
      <role-name>admin</role-name>
      </security-role>
      <method-permission>
      <role-name>admin</role-name>

      <ejb-name>DegreeBusinessLogicBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      ...
      </ej-jar>

      I'm using JBoss 4.2.0CR1 and I found that tag <security-role-ref> is not implemented yet.

      my jboss.xml :



      <security-domain>java:/jaas/kusssdemo-policy</security-domain>
      <enterprise-beans>

      <ejb-name>DegreeBusinessLogicBean</ejb-name>
      <jndi-name>ejb/DegreeBusinessLogicBean</jndi-name>

      </enterprise-beans>



      But it does not work, the EJB can access everybody.

      PLEASE can you help me, am I missing something?

      Thanks an wish a nice day

      David