Has anyone that is using BlazeDS RemoteObject been able to retrieve the authenticated user roles through JBoss DatabaseLoginModule login policy?
I'm using using BlazeDS 3.2.0 and JBoss 5.1. I can successfully authenticate but I, users with unauthorized roles are still able to login. I've changed the Realm in default/jbossweb.sar/server.xml "strict" as shown below:
<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="strict" />
The same login module is being used in other web apps and it works just fine. In default/conf/login-config.xaml I have:
<application-policy name="MyPolicy">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM USERS WHERE USER_ID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLE_ID, 'Role' FROM ROLES WHERE USER_ID=?</module-option>
<module-option name= "hashUserPassword">true</module-option>
<module-option name= "hashAlgorithm">SHA-256</module-option>
<module-option name= "hashEncoding">base64</module-option>
</login-module>
</authentication>
</application-policy>
Other details: - WEB-INF/jboss-web.xml
<jboss-web>
<security-domain flushOnSessionInvalidation="false">java:/jaas/MyPolicy</security-domain>
</jboss-web>
WEB-INF/context.xml
<Context>
<Valve className="flex.messaging.security.TomcatValve" />
</Context>
WEB-INF/flex/services-config.xml
<security>
<login-command class="flex.messaging.security.TomcatLoginCommand" server="JBoss">
<per-client-authentication>false</per-client-authentication>
</login-command>
<security-constraint id="custom-admin-access">
<auth-method>Custom</auth-method>
<roles>
<role>ADMIN</role>
</roles>
</security-constraint>
</security>
WEB-INF/flex/remoting-config.xml
<destination id="MyRemoteService">
<properties>
<source>test.blazeds.MyRemoteService</source>
<scope>session</scope>
</properties>
<security>
<security-constraint ref="custom-admin-access" />
</security>
</destination>
I know I could try to implement my own JDBC based Tomcat Realm but that's something like I would like to avoid since JBoss also provides other login-modules, such as LDAP, that I might come to use in the future.
Thanks, B.