I’m trying to get to run a simple RBAC example with EJBs but when the client calls a method from a class that has a SecurityDomain I get: javax.ejb.EJBAccessException: JBAS013323: Invalid User.
Here’s my setup:
- Server Project
- EJB 3.1
- JBoss AS 7.1
- Picketbox (the 3 jar files that come with the download)
The client is a simple java project
My class in the server project that i would like to secure later looks like the following:
@Stateless
public class SomeBean implements SomeRemote, SomeLocal {
@Override
public void unsecuredMethod(Object obj) {
//do something
}
}
In jboss-ejb3.xml from META-INF I have :
<?xml version="1.0"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:s="urn:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
version="3.1"
impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>SomeBean</ejb-name>
<s:security-domain>SomeDomain</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
I use this file because I’m not able to import the org.jboss.ejb3.annotation.SecurityDomain annotation. (Maybe I have wrong dependencies?)
In standalone-full.xml from jboss-as-7.1.0.Final\standalone\configuration I have:
...
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
...
<security-domain name="SomeDomain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/DefaultDS"/>
<module-option name="principalsQuery" value="SELECT password FROM Customer WHERE username=?"/>
<module-option name="rolesQuery" value="SELECT rolename, 'Roles' FROM Role WHERE username=?"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
...
The exception occurs no matter if i attempt to authenticate within the client with
SecurityClient secClient =
SecurityClientFactory.getSecurityClient();
secClient.setSimple("username1", "password1");
secClient.login();
or just go with the guest role that the client should recieve if i don’t authenticate him (because of: name=”unauthenticatedIdentity” value=”guest”). Another thing is that the LoginException from the SecurityClient does not seem to be thrown even if i provide false credentials. After this i make a normal lookup for the SomeBean class and cast it to SomeRemote. When calling unsecuredMethod(..) the exception occurs. I tried it with both, giving the guest-user a role in the Role table and without.
Within the client project I didn’t do anything rbac or ejb related except using the SecurityClient and the lookup, I hope this is correct.
Maybe there is some good tutorial that explains everything. I may have the problem because my solution is based on a Jboss AS 6 tutorial.
Edit: After searching the internet for this exception for hours I found a hint in a book that says that if jboss cannot find the database tables used for authentication you will always get the message: “Invalid User”. So probably i have a problem with my data source configuration.
If this is an EJB being accessed remotely you will also need to update the security realm (ApplicationRealm) associated with the Remoting connector to use a jaas reference to your security domain so that the user can be authenticated on the inbound connection.