1 Reply Latest reply on May 7, 2008 10:34 AM by Olivier Thierry

    Need help to configure security with Seam and EJB3

    Olivier Thierry Apprentice


      I desperately try to enable security on EJB3 session beans called from Seam components, but I can't find how to do this. When I try to call EJB3 session bean, I have a "Authentication failure" error. It's hard to find clear documentations about this on the web, so I hope someone will help me here ... Note I just want to authenticate for the moment, I don't want to use roles based authorization because it won't be enough for my needs.

      My app is an EAR with two jars :
      - one with EJB3 session beans
      - one with Seam components (EJB3, not pojos)
      The problem appears when I call secured EJB3 session beans from a Seam component.

      Here is what I did for the moment :

      In my EJB3 session beans jar :

      One example of a EJB3 session bean ...

      META-INF/jboss.xml :


      META-INF/ejb-jar.xml :


      In the EAR :

      META-INF/jboss-app.xml :

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-app
       PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN"

      META-INF/t4Seam-login-service.xml :

      <?xml version="1.0" encoding="UTF-8"?>
       <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
       <attribute name="AuthConfig">META-INF/t4Seam-login-config.xml</attribute>
       <depends optional-attribute-name="LoginConfigService">
       <depends optional-attribute-name="SecurityManagerService">

      META-INF/t4Seam-login-config.xml :

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE policy PUBLIC
       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
       <application-policy name="t4Seam">
       <login-module code="org.jboss.seam.security.jaas.SeamLoginModule" flag="required">
       <login-module code="org.jboss.security.ClientLoginModule" flag="required">
       <module-option name="restore-login-identity">true</module-option>
       <module-option name="multi-threaded">false</module-option>

      In Seam components JAR :

      META-INF/components.xml :

       jaas-config-name="t4Seam" />

      My Seam authenticate method (there is no security on compteUtilisateurDao EJB) :

      private CompteUtilisateurDao compteUtilisateurDao;
      public boolean authenticate()
       throws java.lang.Exception
       String username = Identity.instance().getUsername();
       String password = Identity.instance().getPassword();
       CompteUtilisateur utilisateur = compteUtilisateurDao.findByUsernameAndPassword(username, password);
       return (utilisateur != null);

      And the code calling the EJB3 session bean from a Seam component :

      @javax.ejb.EJB protected ServiceBaseEmployeLocal serviceEmploye;
      @org.jboss.seam.annotations.Factory(value = "employes")
      public void getEmployes() throws java.lang.Exception
       this.employes = this.serviceEmploye.loadAllEmployes();

      What I saw in traces is that both SeamLoginModule and ClientLoginModule are called and run OK. But it looks like the JAAS subject is not propagated to EJB layer, while it is (for what I understood) the goal of ClientLoginModule.

      Anyone has an idea what I do wrong ? Maybe I forgot some config files or misunderstood something with JBoss Security ?

      Thanks in advance,