JAAS Implementation with JBOSS 4.0.2
mhwish Mar 7, 2010 11:04 PMI have made a Simple Login Application, thats implemnent JAAS.
My Applicaiton Authenticate the User Successullly, but not authorize.
I am using MySQL (Database)
Server: JBOSS 4.0
I have made Two Tables:
1: Login (with column username ,password)
DATA-----------> ali 123
2:Userrole(with column username ,role, roleGroup)
DATA-----------> ali user Admin
Authentication Successful:
2:54:47,828 INFO [STDOUT] Here Our Subject is =Subject:
Principal: ali
Principal: Admin(members:user)
2:54:47,828 INFO [STDOUT] Principal= ali,org.jboss.security.SimplePrincipal
2:54:47,828 INFO [STDOUT] Principal= Admin(members:user),org.jboss.security.SimleGroup
2:54:47,828 INFO [STDOUT] ....Authentication Succeeded.....
But Problem is here:
An Exception occurs:
2:54:48,359 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=null, requiredRoles=[user], principalRoles=[ ]
2:54:48,359 INFO [STDOUT] Authorization failure
2:54:48,359 ERROR [STDERR] javax.ejb.EJBAccessException: Authorization failure
2:54:48,359 ERROR [STDERR] at org.jboss.ejb3.security.RoleBasedAuthorizatio
Interceptor.invoke(RoleBasedAuthorizationInterceptor.java:104)
2:54:48,359 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invo eNext(MethodInvocation.java:101)
Why I am getting this error while In Authentication lc.login() found the principal ali but when I am going to authorize "ali" then principal found =null.....
In My LoginSessionBean I have made method "hello()" Such as:
class LoginSessionBean implements SessionBean{
@Resource SessionContext ctx;
@RolesAllowed ({"user"} )
public void hello() {
System.out.println(".............With in hello() method..................");
System.out.println(ctx.getCallerPrincipal().getName());
System.out.println(".............Role are going to verify authorize users..................");
if(ctx.isCallerInRole("user")) {
System.out.println("hello Ali you r authorize to access:");
}else if(ctx.isCallerInRole("supervisor")) {
System.out.println("hello you r authorize to access");
}else {
System.out.println("UNAUTHORISED ");
}
}
}
and my ejb-jar.xml is as:
<?xml version="1.0" encoding="windows-1252" ?>
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>LoginSessionBean</ejb-name>
<ejb-ref>
<ejb-ref-name>loginsession.LoginSessionBean</ejb-ref-name>
<jndi-name>java:/LoginDS</jndi-name>
<ejb-ref-type>Stateless</ejb-ref-type>
<remote>loginsession.LoginSession</remote>
<ejb-class>loginsession.LoginSessionBean</ejb-class>
<transaction-type>Container</transaction-type>
</ejb-ref>
<security-role-ref>
<description>role-name checked within EJB</description>
<role-name>user</role-name>
<role-link>user</role-link>
</security-role-ref>
<security-identity>
<run-as>
<role-name>user</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>user</role-name>
</security-role>
<method-permission>
<role-name>user</role-name>
<method>
<ejb-name>loginsession.LoginSessionBean</ejb-name>
<method-name>hello</method-name>
</method>
</method-permission>
</assembly-descriptor>
</ejb-jar>