Hey Luke,
I can give hints on EJB security, I have done this on WSAD but not on JBOSS, so probably you have do extra work/investigation.
Before I jump to the steps what I have done in WSAD, you need to understand whats wrong in code snippet.
You have configured JAAS module in JBOSS server which will be called automatcially whenever you call LoginContext.login(...)
Whenever you use EJB security there are two possiblities/paths:
1. User is already authenticated and authorised before you invoke any EJB method/s.
2. User is not authenticated and authorised before you invoke any EJB method/s.
Case 1: Principals and Credentials (returned by login API) are set in ThreadLocal before you make a call. Once server recevived these data then it trust on caller and check/extract the role information and if role matches with specified role then it allows method invocation otherwise it throws exception.
Case 2 : Whenever you pass user details using Context.SECURITY_PRINCIPAL, Context.SECURITY_CREDENTIALS then server tries to do authentication based on passed details and they are correct then its tries to match roles.
Again that dependces what EJB flow we are talking (i.e. we want that user passes their details and server first do authentication and then role check OR user details are already authenticated and we would like to use Principals and Credentials )
Now in WSAD what we do is , we defines roles and then map roles to methods (using ejb-jar.xml or annotations). before you deploy the build you use WSAD feature to collect all roles defines in EJB-jar.xml and then map these roles to specific OU (org
unit). After this you start deployment and container ask you lookup all roles from LDAP or some files and map these roles to your EJB. once this mapping is done,container know what role and OU maps to which role and OU.
Hope that this helps.
Thanks,
Sunil Dixit
