File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Problem in securing EJB modules Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Problem in securing EJB modules " Watch "Problem in securing EJB modules " New topic

Problem in securing EJB modules

davide tabarelli

Joined: May 20, 2010
Posts: 4
Hello to everyone.

I have a problem in securing EJB modules in JBoss AS 5.

As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

The situation is the following:

- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

Looking into the logs (TRACE level) it points out that:

1) The call to the method A is successfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).


javax.ejb.EJBAccessException: Caller unauthorized...

Log excerpt:

12:04:23,141 TRACE [JBossAuthorizationContext] REQUIRED failed for
Principal: anonymous
12:04:23,141 TRACE [JBossAuthorizationContext] Error in authorize: Authorization Failed:

Someone faced this issue before?

It is a bad design issue or configuration related?

Please help me!

Thanking you in advance.
I agree. Here's the link:
subject: Problem in securing EJB modules
It's not a secret anymore!