1 Reply Latest reply on Apr 9, 2002 12:36 PM by dat

    MDB Authentication how to

    dat Newbie

      I've read through the forums and mailing list archives and examined the docs and cvs repository without much luck.

      A have a simple MDB (MDBX) that calls a session bean (SSBX), all the ejbs are in 1 jar. SSBX needs someone with an admin role to access it. MDBX has declared it method permissions to allow unchecked authenticated users and sets it run as id to be admin. Now security works fine for my web apps and other ejbs but the MDB can not call the SSB with the correct role.

      *****My auth.conf ***************************************
      // Put login modules providing authentication and realm mappings
      // for security domains.


      simple {
      // Very simple login module:
      // any user name is accepted.
      // password should either coincide with user name or be null,
      // all users have role "guest",
      // users with non-null password also have role "user"
      org.jboss.security.auth.spi.SimpleServerLoginModule required;
      };

      // Used by clients within the application server VM such as
      // mbeans and servlets that access EJBs.
      client-login {
      org.jboss.security.ClientLoginModule required;

      };



      // The default server login module
      other {
      // A simple server login module, which can be used when the number
      // of users is relatively small. It uses two properties files:
      // users.properties, which holds users (key) and their password (value).
      // roles.properties, which holds users (key) and a comma-separated list of their roles (value).
      // The unauthenticatedIdentity property defines the name of the principal
      // that will be used when a null username and password are presented as is
      // the case for an unuathenticated web client or MDB. If you want to
      // allow such users to be authenticated add the property, e.g.,
      // unauthenticatedIdentity="nobody"
      org.jboss.security.auth.spi.UsersRolesLoginModule required
      ;

      };


      // test configuration
      //
      //
      test {
      org.jboss.security.plugins.samples.LdapLoginModule required
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.provider.url="ldap://makeshipgo:389"
      java.naming.security.authentication="simple"
      principalDNPrefix="uid="
      principalDNSuffix=",ou=People,o=test.com"
      rolesCtxDN="ou=Roles,o=test.com"
      roleAttributeID="cn"
      uidAttributeID="uniquemember"
      matchOnUserDN=true
      unauthenticatedIdentity="nobody"
      ;
      };


      ******My jboss.xml**********************************

      <security-domain>java:/jaas/test</security-domain>
      ...


      ****** My ejb-jar.xml *******************************
      ....
      <message-driven>
      <ejb-name>SampleQueueMDBean</ejb-name>
      <ejb-class>com.test.j2ee.ejb.sampleMDB.SampleQueueMDBean</ejb-class>
      <transaction-type>Container</transaction-type>
      <acknowledge-mode>AUTO_ACKNOWLEDGE</acknowledge-mode>
      <message-driven-destination>
      <destination-type>javax.jms.Queue</destination-type>
      </message-driven-destination>
      <ejb-ref>

      <ejb-ref-name>ejb/SampleDBBean</ejb-ref-name>
      <ejb-ref-type>Session</ejb-ref-type>
      com.test.j2ee.ejb.sampleDB.SampleDBHome
      com.test.j2ee.ejb.sampleDB.SampleDBRemote
      <ejb-link>SampleDBBean</ejb-link>
      </ejb-ref>
      <security-indentity>
      <run-as>
      <role-name>admin</role-name>
      </run-as>
      </security-indentity>
      </message-driven>
      ....

      <display-name>SampleDBBean</display-name>

      <ejb-name>SampleDBBean</ejb-name>
      com.test.j2ee.ejb.sampleDB.SampleDBHome
      com.test.j2ee.ejb.sampleDB.SampleDBRemote
      <ejb-class>com.test.j2ee.ejb.sampleDB.SampleDBBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      ...
      <assembly-descriptor>
      <container-transaction>

      <ejb-name>SampleDBBean</ejb-name>
      <method-name>*</method-name>

      <trans-attribute>Required</trans-attribute>
      </container-transaction>
      <!-- unchecked role - this evaluates to the nobody role -->
      <method-permission>


      <ejb-name>SampleQueueMDBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      <method-permission>
      <role-name>admin</role-name>

      <ejb-name>SampleDBBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      <!-- not required by jboss but is included for portability-->
      <security-role>
      Top level users with full rights to all beans
      <role-name>admin</role-name>
      </security-role>
      <security-role>
      Unauthenticated users
      <role-name>nobody</role-name>
      </security-role>
      </assembly-descriptor>
      </ejb-jar>



      Can someone point out the exact steps need to make this work?