permaculture playing cards*
The moose likes Security and the fly likes Problem in securing EJB modules Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Problem in securing EJB modules " Watch "Problem in securing EJB modules " New topic
Author

Problem in securing EJB modules

davide tabarelli
Greenhorn

Joined: May 20, 2010
Posts: 4
Hello to everyone.

I have a problem in securing EJB modules in JBoss AS 5.

As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

The situation is the following:

- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

Looking into the logs (TRACE level) it points out that:

1) The call to the method A is successfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

Exception:

javax.ejb.EJBAccessException: Caller unauthorized...

Log excerpt:

12:04:23,141 TRACE [JBossAuthorizationContext] REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
Principal: anonymous
:role=Roles()
12:04:23,141 TRACE [JBossAuthorizationContext] Error in authorize:
org.jboss.security.authorization.AuthorizationException: Authorization Failed:


Someone faced this issue before?

It is a bad design issue or configuration related?

Please help me!

Thanking you in advance.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problem in securing EJB modules
 
Similar Threads
Security principal propagation accross ejb3 modules
@DeclareRoles
Query:About RolesAllowed annotation
@RolesAllowed not affecting calls to my EJB3 session bean method?
Trying to access web service protected with JAAS role-based security