File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Security principal propagation accross ejb3 modules Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Security principal propagation accross ejb3 modules" Watch "Security principal propagation accross ejb3 modules" New topic
Author

Security principal propagation accross ejb3 modules

davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
Hello to everyone,

I'm developing an enterprise application within JBoss 5.

I have multiple EJB3 modules in a single ear, each one under the same security domain.

Authentication works properly and the ClientLoginModule is required in the application policy.

My question is the following: if the client (or the web tier) calls EJB 1 that in turns call EJB 2 (both secured) is the security Principal propagated correctly?

It is giving me a principal: null exception when the second EJB is called in the stack ..

Where I'm wrong ?

Thanks in advance.


D.
davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??

I suppose the last (ill-posed) and therefore I try to explain it again better.

As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

The situation:

- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

Looking into the logs (TRACE level) it points out that:

1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

Someone faced this issue before? Please help me!

Thanking you in advance.

D.
Vikram Saxena
Ranch Hand

Joined: Dec 16, 2008
Posts: 53
I faced a similar situation where I used the JbossLoginContext to resolve it.

This depends on how you are accessing the EJB methods. I for example, used to create a LoginContext where I passed the role (mentioned in the auth.conf) and the security credentials.
Then called the method login() before invoking the business method and logout() on the LoginCOntext object.

You can have a look here.

Vikram
SCJP 5 , SCBCD [Prep Started ] , WLS 8.1 Server Admin
davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
I've found out the problem ...

I have a JMS connection in the session bean that "loose" the authentication ...
.. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look http://community.jboss.org/thread/44409?tstart=0)

Solved by updating to JMS 2.

Thanks to everyone.

D.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Security principal propagation accross ejb3 modules
 
Similar Threads
ejb webservice - authentication compulsory?
IN EJB application how many web modules and EJB modules can exist?
Problem in securing EJB modules
@RolesAllowed not affecting calls to my EJB3 session bean method?
ejb security problem with isCallerInRole()