Friday, March 25, 2005

JBoss EJB Security

In addition to the well-documented steps for securing EJBs, configuring in JBoss has some potential issues. Setting up an authentication policy requires editing some JBoss-specific files:

<application-policy name="policy-name">
<login-module code="" flag="optional">
<module-option name="unauthenticatedIdentity">anonymous</module-option>


If you set up a policy like this, you apparently must establish a method-permission in ejb-jar.xml for every method (or *) of every bean. Misnaming a method, or trying to do a partial wildcard (get*, can't do that), gives an error:

Insufficient method permissions, principal=user, ejbName=Bean, method=method, interface=SERVICE_ENDPOINT, requiredRoles=[], principalRoles=[user-role1, user-role2]

1 comment:

John said...

For any methods to be unchecked, you must also have an unauth option set in the login-module of login-config:
<module-option name="unauthenticatedIdentity">anonymous</module-option>