3 Replies Latest reply on Apr 12, 2007 7:16 AM by david.malec

Declarative security in JBoss - Annotations and XML file com

david.malec Apr 12, 2007 3:13 AM

Hello everybody

I have a problem with declarative security configuration in application. Finally I configured JAAS authentication/authorization for some of my EJB's using anntations like @SecurityDomain etc. It works properly.

I have configured login-config :

<application-policy name = "kusssdemo-policy">

<login-module code = "org.jboss.security.ClientLoginModule" flag = "required"/>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name = "dsJndiName">java:/kusssdemo</module-option>
<module-option name = "principalsQuery">...</module-option>
<module-option name = "rolesQuery">...</module-option>
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>

</application-policy>

It's a swing application and I use custom ClientLoginModule to perform authentication (but for this case it doesn't matter I think)

But now I need to declare security in DD (ejb-jar.xml). I want to use the same roles, which I retrieve from DatabaseServerLoginModule to protect method from other EJB's.

my ejb-jar is :
<ejb-jar>
....
<enterprise-beans>

<ejb-name>DegreeBusinessLogicBean</ejb-name>
<ejb-class>at.jku.kusss.degreemngt.degree.facade.DegreeBusinessLogicBean</ejb-class>
<session-type>Stateless</session-type>
<security-identity>
<run-as>
<role-name>admin</role-name>
</run-as>
</security-identity>

</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>admin</role-name>
</security-role>
<method-permission>
<role-name>admin</role-name>

<ejb-name>DegreeBusinessLogicBean</ejb-name>
<method-name>*</method-name>

</method-permission>
...
</ej-jar>

I'm using JBoss 4.2.0CR1 and I found that tag <security-role-ref> is not implemented yet.

my jboss.xml :

<security-domain>java:/jaas/kusssdemo-policy</security-domain>
<enterprise-beans>

<ejb-name>DegreeBusinessLogicBean</ejb-name>
<jndi-name>ejb/DegreeBusinessLogicBean</jndi-name>

</enterprise-beans>

But it does not work, the EJB can access everybody.

PLEASE can you help me, am I missing something?

Thanks an wish a nice day

David

1. Re: Declarative security in JBoss - Annotations and XML file

jaikiran Apr 12, 2007 3:24 AM (in response to david.malec)
Try this in the jboss.xml:

<security-domain>kusssdemo-policy</security-domain>
Actions
2. Re: Declarative security in JBoss - Annotations and XML file

david.malec Apr 12, 2007 3:39 AM (in response to david.malec)

Thankx jaikiran, but it does not work as well. I think that in ejb-jar is wrong definition, I use <rsecurity-identity> but it is probably not what I need. When I use <rsecurity-role-ref> then I get erro NYI - Not Yet Implemented.

And one more question, Do I have to define <security-role> in <assembly-descriptor> even if I want JBoss to use roles retrieven from DatabaseServer LoginModule?

Anyway thanks, can anybody point me to good source? I was saerching, but most of EJB3 samples use annotatios. I found this : http://labs.jboss.com/portal/jbossws/user-guide/en/html/secure-ejb.html

but they use there <secure-role-ref> which does not work in this JBoss version.

Do I have to wait for implementation? Actually I'm downloading the source of Jboss5.0 beta2, maybe it helps.

But can anybody see other problems in posted configuration?

Thank you for your time
Actions
3. Re: Declarative security in JBoss - Annotations and XML file

david.malec Apr 12, 2007 7:16 AM (in response to david.malec)

Ok, I found solution.

First of all - the jboss.xml must be in META-INF/jboss.xml . I had it in JBOSS_HOME/server/default/conf.

in jboss.xml I just tell to JBoss to use seecurity domain :

<security-domain>kusssdemo-policy</security-domain>

I did not defined <security-role> in <assembly-descriptor>, the are taken from LoginModule
Actions

Go to original post