Reputation: 71
TomEE: Set up login (via JSF) to support @RolesAllowed
For some reason I got completely lost to get @RoleasAllowed to work in TomEE. I've got a nicely working webapp on TomEE 8.0.8. I have set up a custom form authentication like this:
@CustomFormAuthenticationMechanismDefinition(
loginToContinue = @LoginToContinue(
loginPage = "/ui/login.xhtml",
errorPage = "",
useForwardToLogin = true
)
)
@ApplicationScoped
@FacesConfig(version = FacesConfig.Version.JSF_2_3)
public class FacesVersionConfiguration {
}
The Login page invokes the login() method of my LoginBean:
public String login() {
// snipped..
getHttpRequestFromFacesContext().login(userName, password);
// the getter simply returns the HttpServletRequest
}
This will login the user and calls to SecurityContext.isCallerInRole("testRole") will return true. (The same is true for calling EJBContext.isCallerInRole("testRole")).However using a @RolesAllowed("testRole") annotation on EJB methods wil always end in:
javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:189)
org.apache.openejb.core.ivm.EjbObjectProxyHandler.synchronizedBusinessMethod(EjbObjectProxyHandler.java:265)
org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:260)
org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:89)
org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:349)
During my reseach I found: JSF Controller ignores @RolesAllowed annotation which caused me to configure TomEE to use JAAS by adding
<Realm className="org.apache.catalina.realm.JAASRealm" appName="PropertiesLogin"
userClassNames="org.apache.openejb.core.security.jaas.UserPrincipal"
roleClassNames="org.apache.openejb.core.security.jaas.GroupPrincipal">
</Realm>
to the server.xml. However, this didn't solve the problem, still methods annotated with @RolesAllowed throw javax.ejb.EJBAccessExceptions, althought SecurityContext.isCallerInRole() succeeds.
What would be the correct way to set up this in TomEE? I already browsed through the TomEE examples but I couldn't find a complete example that really sets up TomEE for login via JSF (custom form based) to result in working @RolesAllowed EJB access. What did I miss? I really don't what to fall back to programmatic role checking.
Is there a way to find out what openejb is actually doing inside the EJB Proxy? Why are all 'my' checks positive, but the role checking of openejb results is a unauthorized access?
Upvotes: 1
Views: 183
Answers (0)
Related Questions
- How to configure security restrictions for EJB methods in TomEE?
- Performing user authentication in Java EE / JSF using j_security_check
- Apache Tomcat and TOMEE
- JAAS Custom Login Module with Wildfly
- Jboss 7 Jaas Module, Roles are overriden after successful login
- User authentication with J2EE
- TomEE on eclipse, How to call a remote EJB from a JSF Managed bean?
- How can I integrate Jersey with TomEE / openEJB
- TomEE, JAAS, SQLLoginModule and 403
- JavaEE web.xml - intepreting role-name tags