2 Replies Latest reply on May 28, 2009 10:18 AM by anonym54321

    unauthorized-principal not applied



      I'm quite new to JBoss and JEE and tried to realize a very simple webshop to become familiar with both topics. The application is an EAR, containing a WAR and an EJB-part.
      When I try to add security by adding the security-domain "java:jaas/webshop" to the WAR's jboss-web.xml and "webshop" to EJB's jboss.xml[1] after defining the application-policy "webshop" in conf/login-config.xml, I can't call any (unprotected! no method-permission in ejb-jar.xml) EJBs anymore. If I try, I get an SecurityException, because the principal is null.
      I expected the principal for unauthenticated users to be equal to unauthenticated-principal in conf/standardjboss.xml, but it seems, this is never applied.

      Can anybody explain me, how I can use this unauthenticated-principal or how to access my (unprotected) EJB's without discarding the security-domain?

      Stefan (after hours of googling)

      [1]: Using "java:jaas/webshop" in jboss.xml causes a ClassCastException because "JaasSecurityManager cannot be cast to SecurityDomainContext". In https://jira.jboss.org/jira/browse/JBAS-4022 Erica Kane suggested to leave the prefix out.

        • 1. Re: unauthorized-principal not applied

          I forgot something: I have to use EJB 2.1, so I can't use these nice annotations.

          • 2. Re: unauthorized-principal not applied

            Ok, finally I managed to work around this issue. I just removed the security-context away from the EJB's jboss.xml. Looks like just using the name of the application-policy as mentioned in [1] isn't the right way...

            But after this, I had a different (but possibly related?) problem. Instead of showing the login-dialog, I get an IllegalStateException on the console complaining about "Authorization Manager is null".
            If I remove the security-context from the jboss-web.xml, the dialog appears, but I didn't found a way to specify the correct login-configuration defined in conf/login-config.xml.

            A very basic example:


            <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
             <realm-name>Some Realm</realm-name></login-config>

            <html><body>Hello World</body></html>