ejb 3.0 - Jboss 5.1.0 EJB Security (unauthenticated principal via JNDI) -


how secure remote ejbs unauthenticated principal in jboss-5.1.0.ga application server? after configuring ejb security can still access remote ejbs jndi lookup without principal , credentials passed in? security risk. want disable unauthenticated jndi lookup on remote ejbs.

here server/conf/login-config.xml configruation:

       <application-policy name="<my security domain name>">     <authentication>         <login-module code="org.jboss.security.auth.spi.databaseserverloginmodule" flag="required">                      <module-option name="dsjndiname">**java:jdbc/<my datasource name>**</module-option>             <module-option name="principalsquery"><my users query></module-option>             <module-option name="rolesquery"><my roles query></module-option>             <module-option name="debug">true</module-option>         </login-module>     </authentication>   </application-policy>

here jboss.xml configruation in ejb jar:

<?xml version="1.0" encoding="utf-8"?> <!doctype jboss public "-//jboss//dtd jboss 5.0//en" "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">   <jboss>  <security-domain><my security domain name login-config></security-domain>   </jboss>

here how a jndi lookup access beans client note principal , credentials not being passed in context 

    hashtable<string, string> props = new hashtable<string, string>();      props.put(context.initial_context_factory,"org.jnp.interfaces.namingcontextfactory");           props.put(context.url_pkg_prefixes,"org.jboss.naming:org.jnp.interfaces");            props.put(context.provider_url,"jnp://localhost:1099");      //props.put(context.security_principal,"");      //props.put(context.security_credentials,"");        ctx = new initialcontext(props);     ctx.lookup("<earname>/<ejb interface definition>/remote">

what issue? when no/wrong principal/credentials passed user authenticated anonymous principal , has full access remote ejbs via jndi

what tried fix issue:

  • i deleted following line login modules in server/conf/login-config.xml had no effect

    <module-option name="unauthenticatedidentity">anonymous</module-option>

  • i deleted following line server/conf/jboss-service.xml thinking resolve issue, had no effect

     <attribute name="defaultunauthenticatedprincipal">anonymous</attribute>

  • i deleted application policy "client-login" login-config.xml in there default since using databaseloginmodule

  • my jboss-ejb-policy , jboss-web-policy in server/depoly/security/security-policies-jboss-beans.xml extending databaseloginmodule policy in login-config.xml

  • i have no security related annotations in ejb classes/interfaces

other things note

  • i tested scenario in jboss-as-7.1.1.final , ejbaccessexception: invalid user correct (you add jboss-ejb3.xml secure ejbs via security domain)

    <assembly-descriptor>    <s:security>      <ejb-name>*</ejb-name>      <s:security-domain><security domain name here></s:security-domain>    </s:security>  </assembly-descriptor>

  • the issue here not authorization authentications ejb security annotations not help

  • what want prevent anonymous principal making jndi call

  • i have enabled trace logging on org.jboss.security , can see when ever call jndi following hit in logs

    principal: anonymous:callerrunas=null:callerrunas=null:ejbrestrictionenforcement=false:ejbversion=null];    policyregistration=org.jboss.security.plugins.jbosspolicyregistration@1f51a2f;

  • i have verified configurations work , databaseloginmodule works when use programmatic login through webauthetication

  • even when passing initial context valid principal/credential database anonymous principal used indicating principal/credential not processed context

  • i can secure ejbs through @rolesallowed @declareroles ... mentioned authorization concern not authentication , if have many roles , ejbs not far maintainability

how can disable/prevent unauthenticated anonymous jndi lookup entire application automatically in jboss 7.1.1? know can upgrade application server 1 solution don't have option so. should possible , easy in jboss 5.1.0. have looked answer everywhere , can't find it? help.


Comments

Post a Comment

Popular posts from this blog

monitor web browser programmatically in Android? -

i've got tricky question here. need users make payment bank (namely barclaycard) in uk. so, have https url , add parameters (such amount pay, order reference, etc) url, start http connection intent.actionview, redirect user browser can enter credit card details on bank's webpage , make payment our account successfully. far ? the code use below (i changed values privacy reasons) problem is, need app when user has completed/failed/cancelled payment. barclaycardautomatically redirects particular url when payment has succeeded, 1 if failed. there no way of knowing when barclaycard payment has succeeded go android app somehow ? button cardbutton = (button) findviewbyid(r.id.card_button); cardbutton.setonclicklistener(new view.onclicklistener() { @override public void onclick(view arg0) { string prehashstring = new string(); string prohashstring = new string(); string shapassphrase = new string(); shapassphrase = "gsvth£h70zkh...
Read more

Shrink a YouTube video to responsive width -

i have youtube video embedded on our website , when shrink screen tablet or phone sizes stops shrinking @ around 560px in width. standard youtube videos or there can add code make go smaller? you can make youtube videos responsive css. wrap iframe in div class of "videowrapper" , apply following styles: .videowrapper { float: none; clear: both; width: 100%; position: relative; padding-bottom: 56.25%; padding-top: 25px; height: 0; } .videowrapper iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; } the .videowrapper div should inside responsive element. padding on .videowrapper necessary keep video collapsing. may have tweak numbers depending upon layout.
Read more

wpf - PdfWriter.GetInstance throws System.NullReferenceException -

i'm trying create pdf document using itextsharp 5.3.4 using following document document = new document(); filestream stm = new filestream(filename, filemode.create); pdfwriter writer = pdfwriter.getinstance(document, stm); i'm getting system.nullreferenceexception following stack trace: system.nullreferenceexception occurred hresult=-2147467261 message=la référence d'objet n'est pas définie à une instance d'un objet. source=itextsharp stacktrace: à itextsharp.text.version.getinstance() innerexception: i've verified neither document nor stm null, , if select "continue" in vs12 document created - exception thrown. updated itextsharp 5.4.0 , it's still occurring. can't find information on anywhere - got ideas? make sure not catching exceptions. nullreferenceexception can 1 caught , handled inside itextsharp, don't care it. fact can continue supports theory. change following setting verify: debug -> exceptions ...
Read more