@SecurityDomain with custom login module fails with EJB3
Hi everybody,
I ran into a problem with an EJB using a custom security domain.
My sample:
-I created a custom login module (subclass of org.jboss.security.auth.spi.UsernamePasswordLoginModule).
-"login-config.xml" at server\default\conf contains this application-policy:
<application-policy name = "knaufsecurity">
<login-module code = "de.fhw.swtvertiefung.knauf.security.loginmodule.KundeAdministratorLoginModule"
flag = "required">
</login-module>
</application-policy>
In a EJB 2.1 environment I could secure my bean with this entry in jboss.xml in the EJB jar:
<security-domain>java:/jaas/knaufsecurity</security-domain>
For my EJB3 bean I added this annotation (stateless session bean):
@org.jboss.annotation.security.SecurityDomain(value="java:/jaas/knaufsecurity")
My web project is secured also, by declaring the security domain in jboss-web.xml, and this works !
But for the ejb project: if I try to access a method with an annotation "@RolesAllowed", this exception is logged:
21:12:50,140 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:124)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:131)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:263)
at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:58)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:102)
at $Proxy96.forAdminOnly(Unknown Source)
....
So this pointed me to a workaround: I modified "login-config.xml" and replaced the login-module declaration in the "other" policy.
<application-policy name = "other">
<login-module code = "de.fhw.swtvertiefung.knauf.security.loginmodule.KundeAdministratorLoginModule"
flag = "required">
</login-module>
</application-policy>
Now it works, but it seems either I did something wrong in declaring the EJB security domain, or there is a bug in the implementation.
Could someone clarify this ?
Thanks
Wolfgang Knauf
