JBoss 5 authentication / authorization problem
apph_ Feb 2, 2009 2:16 PMHello,
I'm having problems integrating JBoss 5 authentication / authorization in my application. I'm using EJB3, JSF 2 (but it's maven project, so actually JBoss JSF implementation is used) + Facelets.
The configuration is as follows:
1. First i've added jboss-web.xml to my WEB-INF directory. File content looks like this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>java:/jaas/toy-shop-realm</security-domain> </jboss-web>
2. I have added security domain configuration to login-config.xml located in JBOSS_INSTALL_DIR\server\default\conf\ like this:
<application-policy name="toy-shop-realm"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/toy-shop-users.properties</module-option> <module-option name="rolesProperties">props/toy-shop-roles.properties</module-option> <module-option name="securityDomain">java:/jaas/toy-shop-realm</module-option> </login-module> </authentication> </application-policy>
As you can see there are two files: toy-shop-users.properties and toy-shop-roles.properties in JBOSS_INSTALL_DIR\server\default\conf\props\ directory.
toy-shop-users.properties content is as simple as:
admin=admin
user=user
and toy-shop-roles.properties:
admin=admin
user=user
3. I have defined URL addresses security in web.xml in WEB-INF directory:
<security-constraint> <web-resource-collection> <web-resource-name>all</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config>
The login.jsp page simply uses j_security_check for authentication.
4. And finally some security annotation in EJB bean:
@SecurityDomain("toy-shop-realm") @RolesAllowed({"admin", "user"}) @Stateless public class PaymentLogic implements PaymentContract { @EJB(mappedName="PaymentJpaDao/local") private PaymentDao paymentDao; @RolesAllowed({"admin"}) public List<Payment> getActivePayments() { return paymentDao.getActivePayments(); } }
PaymentContract is simple interface with one method and no annotations.
PaymentJpaDao is defined as Stateless bean.
Now, when i start the application it requires authentication. If i provide non-defined user name i will not go through. If it's 'user' or 'admin' defined in properties file it is ok. But it looks like security annotations are completely ignored. Everybody can invoke getActivePayments method. Web application is tested as war (will be packed as ear in future) and it uses another library with defined EJB's (PaymentLogic, PaymentJpaDao, etc.). Now if i add jboss.xml file to META-INF directory of this library:
<jboss> <security-domain>toy-shop-realm</security-domain> </jboss>
then when i invoke getActivePayments logged as 'user' i'll get EJBAccessException: Caller unauthorized. This is great. But when i invoke it as 'admin', i'll get the 403 error - access denied. If I add <role-name>admin</role-name> in <auth-constraint> in web.xml i'll also get EJBAccessException: Caller unauthorized for 'admin' login.
What am i missing?
Thx for any help.