aspose file tools
The moose likes JBoss and the fly likes Security principal propagation accross ejb3 modules Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login
JavaRanch » Java Forums » Products » JBoss
Reply Bookmark "Security principal propagation accross ejb3 modules" Watch "Security principal propagation accross ejb3 modules" New topic
Author

Security principal propagation accross ejb3 modules

davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
posted private message
0
Quote
Hello to everyone,

I'm developing an enterprise application within JBoss 5.

I have multiple EJB3 modules in a single ear, each one under the same security domain.

Authentication works properly and the ClientLoginModule is required in the application policy.

My question is the following: if the client (or the web tier) calls EJB 1 that in turns call EJB 2 (both secured) is the security Principal propagated correctly?

It is giving me a principal: null exception when the second EJB is called in the stack ..

Where I'm wrong ?

Thanks in advance.


D.
davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
posted private message
0
Quote
No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??

I suppose the last (ill-posed) and therefore I try to explain it again better.

As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

The situation:

- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

Looking into the logs (TRACE level) it points out that:

1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

Someone faced this issue before? Please help me!

Thanking you in advance.

D.
Vikram Saxena
Ranch Hand

Joined: Dec 16, 2008
Posts: 53
posted private message
0
Quote
I faced a similar situation where I used the JbossLoginContext to resolve it.

This depends on how you are accessing the EJB methods. I for example, used to create a LoginContext where I passed the role (mentioned in the auth.conf) and the security credentials.
Then called the method login() before invoking the business method and logout() on the LoginCOntext object.

You can have a look here.
Vikram
SCJP 5 , SCBCD [Prep Started ] , WLS 8.1 Server Admin
davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
posted private message
0
Quote
I've found out the problem ...

I have a JMS connection in the session bean that "loose" the authentication ...
.. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look http://community.jboss.org/thread/44409?tstart=0)

Solved by updating to JMS 2.

Thanks to everyone.

D.
 
I agree. Here's the link: http://zeroturnaround.com/jrebel
 
subject: Security principal propagation accross ejb3 modules
 
Similar Threads
ejb webservice - authentication compulsory?
@RolesAllowed not affecting calls to my EJB3 session bean method?
IN EJB application how many web modules and EJB modules can exist?
ejb security problem with isCallerInRole()
Problem in securing EJB modules