• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Security principal propagation accross ejb3 modules

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello to everyone,

I'm developing an enterprise application within JBoss 5.

I have multiple EJB3 modules in a single ear, each one under the same security domain.

Authentication works properly and the ClientLoginModule is required in the application policy.

My question is the following: if the client (or the web tier) calls EJB 1 that in turns call EJB 2 (both secured) is the security Principal propagated correctly?

It is giving me a principal: null exception when the second EJB is called in the stack ..

Where I'm wrong ?

Thanks in advance.


D.
 
davide tabarelli
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??

I suppose the last (ill-posed) and therefore I try to explain it again better.

As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

The situation:

- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

Looking into the logs (TRACE level) it points out that:

1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

Someone faced this issue before? Please help me!

Thanking you in advance.

D.
 
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I faced a similar situation where I used the JbossLoginContext to resolve it.

This depends on how you are accessing the EJB methods. I for example, used to create a LoginContext where I passed the role (mentioned in the auth.conf) and the security credentials.
Then called the method login() before invoking the business method and logout() on the LoginCOntext object.

You can have a look here.
 
davide tabarelli
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've found out the problem ...

I have a JMS connection in the session bean that "loose" the authentication ...
.. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look http://community.jboss.org/thread/44409?tstart=0)

Solved by updating to JMS 2.

Thanks to everyone.

D.
 
Bring me the box labeled "thinking cap" ... and then read this tiny ad:
Enterprise-grade Excel API for Java
https://products.aspose.com/cells/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!