2 Replies Latest reply on May 28, 2009 10:18 AM by anonym54321

    unauthorized-principal not applied

    Newbie

      Hi...

      I'm quite new to JBoss and JEE and tried to realize a very simple webshop to become familiar with both topics. The application is an EAR, containing a WAR and an EJB-part.
      When I try to add security by adding the security-domain "java:jaas/webshop" to the WAR's jboss-web.xml and "webshop" to EJB's jboss.xml[1] after defining the application-policy "webshop" in conf/login-config.xml, I can't call any (unprotected! no method-permission in ejb-jar.xml) EJBs anymore. If I try, I get an SecurityException, because the principal is null.
      I expected the principal for unauthenticated users to be equal to unauthenticated-principal in conf/standardjboss.xml, but it seems, this is never applied.

      Can anybody explain me, how I can use this unauthenticated-principal or how to access my (unprotected) EJB's without discarding the security-domain?

      Stefan (after hours of googling)


      [1]: Using "java:jaas/webshop" in jboss.xml causes a ClassCastException because "JaasSecurityManager cannot be cast to SecurityDomainContext". In https://jira.jboss.org/jira/browse/JBAS-4022 Erica Kane suggested to leave the prefix out.

        • 1. Re: unauthorized-principal not applied
          Newbie

          I forgot something: I have to use EJB 2.1, so I can't use these nice annotations.

          • 2. Re: unauthorized-principal not applied
            Newbie

            Ok, finally I managed to work around this issue. I just removed the security-context away from the EJB's jboss.xml. Looks like just using the name of the application-policy as mentioned in [1] isn't the right way...

            But after this, I had a different (but possibly related?) problem. Instead of showing the login-dialog, I get an IllegalStateException on the console complaining about "Authorization Manager is null".
            If I remove the security-context from the jboss-web.xml, the dialog appears, but I didn't found a way to specify the correct login-configuration defined in conf/login-config.xml.

            A very basic example:
            WEB-INF/jboss-web.xml:

            <jboss-web>
             <security-domain>java:jaas/other</security-domain>
             <context-root>helloworld</context-root>
            </jboss-web>
            


            WEB-INF/web.xml:
            <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
             <display-name>HelloWorldWeb</display-name>
             <welcome-file-list>
             <welcome-file>index.jsp</welcome-file>
             </welcome-file-list>
             <security-constraint>
             <web-resource-collection>
             <web-resource-name>Everything</web-resource-name>
             <url-pattern>/*</url-pattern>
             </web-resource-collection>
             <auth-constraint>
             <role-name>somebody</role-name>
             </auth-constraint>
             </security-constraint>
             <login-config>
             <auth-method>BASIC</auth-method>
             <realm-name>Some Realm</realm-name></login-config>
             <security-role>
             <role-name>somebody</role-name>
             </security-role>
            </web-app>
            


            index.html:
            <html><body>Hello World</body></html>