2 Replies Latest reply on Apr 1, 2009 4:30 AM by Zithulele Shange

    EJB 3 Security in JBoss 5.0.1.GA

    Zithulele Shange Newbie

      Hi,

      This is my jboss-beans xml:

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="lms-system">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required" >
      <module-option name="dsJndiName">java:/lmsDS</module-option>
      <module-option name="principalsQuery">
      select user_pass from admin_user where username=?
      </module-option>
      <module-option name="rolesQuery">
      select role_name, 'Roles' from security_role where user_name = ?
      </module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name="unauthenticatedIdentity">LMS_USER</module-option>
      <module-option name="hashCharset">UTF-8</module-option>
      <!--module-option name="password-stacking">useFirstPass</module-option-->
      <module-option name="hashEncoding">base64</module-option>
      </login-module>


      <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/>
      <!--policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/-->
      <!--policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="optional"/ -->

      </application-policy>
      <!--application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain2" extends="other">

      <policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="required"/>

      </application-policy-->


      Client login code:
      securityClient.setSimple(userName, password.toCharArray());
      // securityClient.setVmwideAssociation(true);
      securityClient.login();
      context = new InitialContext();


      later I then lookup with code:
      context.lookup(jndiName);


      This is the scurity audit log:
      2009-03-30 18:29:06,672 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (WorkerThread#0[127.0.0.1:54686]:) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=123;method=findUserByName;
      2009-03-30 18:29:06,883 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (WorkerThread#0[127.0.0.1:54686]:) [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1168524}:method=public za.gov.housing.domain.model.User za.gov.housing.ejb.service.UserServiceBean.findUserByName(java.lang.String) throws za.gov.housing.common.exception.SystemException,za.gov.housing.common.exception.ApplicationException:ejbMethodInterface=Remote:ejbName=UserServiceBean:ejbPrincipal=123:MethodRoles=Roles(,):securityRoleReferences=null:callerSubject=Subject:
      Principal: 123
      Principal: Roles(members)
      :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1168524;

      my jboss.xml:

      <security-domain>java:/jaas/lms-system</security-domain>
      <!--unauthenticated-principal /-->
      <missing-method-permissions-excluded-mode>true</missing-method-permissions-excluded-mode>


      EJB:
      @Stateless
      @SecurityDomain("lms-system")
      public class UserServiceBean implements UserServiceRemote {


      @Override
      public User findUserByName(String name) throws SystemException, ApplicationException{
      try {
      User user = userFacade.findByUserName(name);


      I get caller unauthorised exception

        • 1. Re: EJB 3 Security in JBoss 5.0.1.GA
          Wolfgang Knauf Master

          Hi,

          as far as I know, your application policy/security domain should be declared in "login-config.xml" found in your JBoss configuration. I never heard of being able to declare it in a " jboss-beans.xml", but maybe this is a new feature ;-).

          If you activate security layer logging, do you see status or error messages of the configured login module/security domain? If no, then it is not configured.

          Hope this helps

          Wolfgang

          By the way: please wrap xml/code snippets in "[ code ] ... [ /code]" tags (without the spaces of course ;-) ), this makes it more readable.

          • 2. Re: EJB 3 Security in JBoss 5.0.1.GA
            Zithulele Shange Newbie

            Thanks for the reply, the deployment is taken from Anil's page which talks about EJB/WEB security. The nice thing about it is that it comes with the application rather than configured in the server.

            I changed my module configuration for authorisation to use DelegatingAuthorizationModule, and then added a restore-login property on the module and then it worked. I am still going to test it for multiple concurrent users.

            Zithuba