5 Replies Latest reply on Oct 26, 2009 2:53 AM by akhilachuthan

    ejb not validating user role at session bean methods + JAAS

    akhilachuthan
    akhilachuthan Oct 20, 2009 8:31 AM

      Im using ejb3 with JAAS and has defined the security policy in login-config.xml file. The policy is specified in my ear's META-INF/jboss.xml file.
      But i see that even when i define the server method with a role that is not in the role list of the user calling the server method, the container allows the method to be accessed.

      for debugging i tried printing SessionContext.isCallerInRole(role) within the method with the role as my method role. Now this is returned false as expected. In such a case ejb should not have allowed the calling function to access the method at all...

      My configuration was something that has worked well for jboss4. all these problems started once after i migrated to jboss5...

      What am i doing wrong here, or is there anything else that has to be configured....


      Thanks

      • 2383 Views
      • Tags:
        • 1. Re: ejb not validating user role at session bean methods + J
          wolfgangknauf
          wolfgangknauf Oct 21, 2009 4:38 AM (in response to akhilachuthan)

          Hi,

          do you have "@RolesAllowed" annotations on your bean class? Post the snippets of bean declarations and the relevant XML file parts.

          You might activate logging of the security layer (see sticky post "FAQ", question 4) to check whether your login config is working as expected.

          Best regards

          Wolfgang

            • Actions
          • 2. Re: ejb not validating user role at session bean methods + J
            akhilachuthan
            akhilachuthan Oct 21, 2009 7:13 AM (in response to akhilachuthan)

            I configured my log4j with the details, but did not receive any log of concern..
            ---------------------------------------------------------------------------------
            My login-config.xml snippet is given below

            <application-policy name = "SecurityPolicy">

            <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
            <module-option name="unauthenticatedIdentity">defaultuser</module-option>
            <!-- Any existing security context will be restored on logout -->
            <module-option name="restore-login-identity">true</module-option>
            </login-module>

            <login-module code="com.temp.component.security.LoginCheck" flag = "required">
            <module-option name="unauthenticatedIdentity">defaultuser</module-option>
            <!-- Any existing security context will be restored on logout -->
            <module-option name="restore-login-identity">true</module-option>
            </login-module>

            </application-policy>

            ---------------------------------------------------------------------------------
            content of the jboss.xml within my ear


            <security-domain>java:/jaas/SecurityPolicy</security-domain>


            ---------------------------------------------------------------------------------
            content of the jboss-web.xml in the war file within my ear

            <jboss-web>
            <security-domain flushOnSessionInvalidation="true">java:/jaas/SecurityPolicy</security-domain>
            </jboss-web>

            ---------------------------------------------------------------------------------

            I have defined the role as @RolesAllowed("WRONG_ROLE__FOR_FAILURE") for my ejb session bean method. There is no such role, but still i can access the method..

              • Actions
            • 3. Re: ejb not validating user role at session bean methods + J
              akhilachuthan
              akhilachuthan Oct 22, 2009 8:08 AM (in response to akhilachuthan)

              Got it.. my mistake....

              There was no jboss.xml within the ejb's META-INF. Instead i had places it in the META-INF of the containing ear file...

              Now.. my application uses only a single security domain for all the ejb's and i have a multi jar setup within the ear. Is there any way by which i define something at the ear level to avoid having a similar jboss.xml in all my ejb jars?

                • Actions
              • 4. Re: ejb not validating user role at session bean methods + J
                wolfgangknauf
                wolfgangknauf Oct 22, 2009 10:45 AM (in response to akhilachuthan)

                Hi,

                JBoss 5 allows this by adding a "jboss-app.xml" to META-INF of your EAR:

                <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-app
 PUBLIC "-//JBoss//DTD J2EE Application 5.0//EN"
 "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd">

<jboss-app>
 <security-domain>mysecuritydomain</security-domain>

</jboss-app>


                Best regards

                Wolfgang

                  • Actions
                • 5. Re: ejb not validating user role at session bean methods + J
                  akhilachuthan
                  akhilachuthan Oct 26, 2009 2:53 AM (in response to akhilachuthan)

                  That works great....

                  Thanks Wolfgang

                    • Actions