1 Reply Latest reply on Dec 23, 2004 5:39 PM by Scott Stark

    Using JAAS to secure EJBs

    Oleg Timoshenko Newbie

      Good day to All,
      I'm relatively new to J2EE. I've allready developed a number of EJBs and pages and now I'm trying to implement security to control access to EJBs.
      I've read all possible manuals I found on the net, but still there are some questions not quite clear for me...

      Everything is deployed into the single EAR archive and inside the JSP code I access my EJB in the following manner:

      LoginContext lc = new LoginContext("MyAuthDomain", new myCallback("login","pass"));
      lc.login();
      // At this point everything is perfect, I can retrieve the subject by lc.getSubject() and see that authentication was OK, i.e. Roles are populated properly, principal is the right one.
      ...
      // But then I create my EJB by
      myEJBsHomeIface.create()
      // This raises an exception:
      // EJBException:; nested exception is:
      // javax.ejb.EJBException:
      // checkSecurityAssociation;
      // CausedByException is: Authentication exception, principal=null

      ---
      The create() method of EJB is marked as in ejb-jar.xml, <method-permission> tag.
      What else I did:
      1) Configured [server]/default/config/login-config.xml (specified the security-policy "MyAuthDomain" mentioned in new LoginContext())
      2) In ejb-jar.xml I created <assembly-descriptor> section where I list roles and grant method permissions to them
      3) In jboss.xml I created the <security-domain> entry linking the EJB to MyAuthDomain entry in login-config.xml.
      4) I created also auth.conf file in [server]/default/conf with MyAuthDomain section like:
      --
      MyAuthDomain{
      org.jboss.security.ClientLoginModule required;
      org.jboss.security.auth.spi.DatabaseServerLoginModule
      required
      ....
      }
      --
      (but JSP passes authentication even without it)

      When I switch on the declarative authentication for this JSP in it's deployment descriptors (and remove all the authentication code from it's text), everything works perfectly. So, it doesn't only when I try to perform authentication programmatically. I obviously missed something in configuration.

      Please, help me to find it out or give me an URL where I can read about it in details.

      At least, do I understand right that between lc.login() and lc.logout() my code can call EJB in it's usual manner like myEJB.getData() and I shouldn't wrap this calls in something like executeAsPrivilegedUser(..., subject)?

      Many thanks in advance!