Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-7037

JBossAS 5.x fails to use EJB's security domain in jboss.xml when the call is from web container

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 6.0.0.M2
    • JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
    • Security
    • Compatibility/Configuration
    • Workaround Exists
    • Hide

      Our workaround for standalone JBoss AS is to add "CLIENT_LOGIN_MODULE" application-policy in login-config.xml and use that for EJB container authentication.
      For clustering environment, the workaround is to add "BYPASSED-SECURITY" application-policy in login-config.xml to handle the EJB container authentication.

      Show
      Our workaround for standalone JBoss AS is to add "CLIENT_LOGIN_MODULE" application-policy in login-config.xml and use that for EJB container authentication. For clustering environment, the workaround is to add "BYPASSED-SECURITY" application-policy in login-config.xml to handle the EJB container authentication.

    Description

      A degredation from JBoss 4.0.x and 4.2.x to JBoss 5.0.1.GA and JBoss 5.1.0.GA.

      We noticed that the JAAS login in EJB container always picks up the Web app's security domain when the client login is originated from a web application client. The security domain specified in EJB container's jboss.xml is always ignored in this situation.

      The detailed problem description is posted on JBoss forum:
      http://www.jboss.org/index.html?module=bb&op=viewtopic&t=156863

      Attachments

        Issue Links

          blocks

          Task - Represents a small unit of work that is not end-user facing. JBPAPP-3329 Port JBAS-7037 fix to EAP branch

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is blocked by

          Task - Represents a small unit of work that is not end-user facing. SECURITY-443 Add a setter method for the security domain in SecurityContext

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              sguilhen Stefan Guilhen
              clin1 Calvin Lin (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: