Announcement Announcement Module
Collapse
No announcement yet.
Spring, JAAS and EJB Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring, JAAS and EJB

    Hi guys.

    I am currently writing a web application which consists of the actual web part and the business part. The web part is implemented using Spring 3 and the business is standard EJB 3.0. What I wish to do: authenticate the user in the web app, grant him some role (eg: ROLE_ADMIN) and then make some EJB calls. The EJBs are annotated for security (@RolesAllowed("ROLE_ADMIN")). How is the system configured:
    - we are using Spring Security for authentication: we implemented a custom UsernamePasswordAuthenticationFilter (nothing fancy, the only different thing is that we need a two-factor authentication system - so, besides username and password, we also have some security token which we need to propagate to the actual login module - see bellow)
    - we have implemented a custom JaasAuthenticationProvider (only for providing callback handlers - username and password - and one simple granter - all that the granter does is to grant the ROLE_ADMIN to any authenticated principal)
    - also, we have a custom LoginModule which does the actual authentication against the database; the core thing here is the commit method which does something like:
    Code:
        subject.getPrincipals().add(user);
        subject.getPrincipals().add(ROLE_ADMIN);
    - the JAAS login.configuration file:
    Code:
    AdminWebApplication {
        my.package.CustomLoginModule 
        required
        useTicketCache=true
        debug=true;	
    };
    The authentication process works just fine, with one tiny exception: when trying to invoke EJB methods annotated for security (@RolesAllowed("ROLE_ADMIN"))) the granted authority (the role) is not transmitted correctly. I can see the authenticated principal in the SessionContex (sessionContext.getCallerPrincipal()), but as for the role, the EJB always throws an EJBAccessException.

    What am I missing? What might be wrong here? Did I not properly understand the JAAS integration between layers?

    Any advice is highly appreciated. Thanks in advance!

    Best regards,
    Daniel
Working...
X