5 Replies Latest reply on Oct 26, 2009 2:53 AM by akhil achuthan

    ejb not validating user role at session bean methods + JAAS

    akhil achuthan Newbie

      Im using ejb3 with JAAS and has defined the security policy in login-config.xml file. The policy is specified in my ear's META-INF/jboss.xml file.
      But i see that even when i define the server method with a role that is not in the role list of the user calling the server method, the container allows the method to be accessed.

      for debugging i tried printing SessionContext.isCallerInRole(role) within the method with the role as my method role. Now this is returned false as expected. In such a case ejb should not have allowed the calling function to access the method at all...

      My configuration was something that has worked well for jboss4. all these problems started once after i migrated to jboss5...

      What am i doing wrong here, or is there anything else that has to be configured....


      Thanks

        • 1. Re: ejb not validating user role at session bean methods + J
          Wolfgang Knauf Master

          Hi,

          do you have "@RolesAllowed" annotations on your bean class? Post the snippets of bean declarations and the relevant XML file parts.

          You might activate logging of the security layer (see sticky post "FAQ", question 4) to check whether your login config is working as expected.

          Best regards

          Wolfgang

          • 2. Re: ejb not validating user role at session bean methods + J
            akhil achuthan Newbie

            I configured my log4j with the details, but did not receive any log of concern..
            ---------------------------------------------------------------------------------
            My login-config.xml snippet is given below

            <application-policy name = "SecurityPolicy">

            <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
            <module-option name="unauthenticatedIdentity">defaultuser</module-option>
            <!-- Any existing security context will be restored on logout -->
            <module-option name="restore-login-identity">true</module-option>
            </login-module>

            <login-module code="com.temp.component.security.LoginCheck" flag = "required">
            <module-option name="unauthenticatedIdentity">defaultuser</module-option>
            <!-- Any existing security context will be restored on logout -->
            <module-option name="restore-login-identity">true</module-option>
            </login-module>

            </application-policy>

            ---------------------------------------------------------------------------------
            content of the jboss.xml within my ear


            <security-domain>java:/jaas/SecurityPolicy</security-domain>


            ---------------------------------------------------------------------------------
            content of the jboss-web.xml in the war file within my ear

            <jboss-web>
            <security-domain flushOnSessionInvalidation="true">java:/jaas/SecurityPolicy</security-domain>
            </jboss-web>

            ---------------------------------------------------------------------------------

            I have defined the role as @RolesAllowed("WRONG_ROLE__FOR_FAILURE") for my ejb session bean method. There is no such role, but still i can access the method..

            • 3. Re: ejb not validating user role at session bean methods + J
              akhil achuthan Newbie

              Got it.. my mistake....

              There was no jboss.xml within the ejb's META-INF. Instead i had places it in the META-INF of the containing ear file...

              Now.. my application uses only a single security domain for all the ejb's and i have a multi jar setup within the ear. Is there any way by which i define something at the ear level to avoid having a similar jboss.xml in all my ejb jars?

              • 4. Re: ejb not validating user role at session bean methods + J
                Wolfgang Knauf Master

                Hi,

                JBoss 5 allows this by adding a "jboss-app.xml" to META-INF of your EAR:

                <?xml version="1.0" encoding="UTF-8"?>
                <!DOCTYPE jboss-app
                 PUBLIC "-//JBoss//DTD J2EE Application 5.0//EN"
                 "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd">
                
                <jboss-app>
                 <security-domain>mysecuritydomain</security-domain>
                
                </jboss-app>


                Best regards

                Wolfgang