I am currently writing a web application which consists of the actual web part and the business part. The web part is implemented using Spring 3 and the business is standard EJB 3.0. What I wish to do: authenticate the user in the web app, grant him some role (eg: ROLE_ADMIN) and then make some EJB calls. The EJBs are annotated for security (@RolesAllowed("ROLE_ADMIN")). How is the system configured:
- we are using Spring Security for authentication: we implemented a custom UsernamePasswordAuthenticationFilter (nothing fancy, the only different thing is that we need a two-factor authentication system - so, besides username and password, we also have some security token which we need to propagate to the actual login module - see bellow)
- we have implemented a custom JaasAuthenticationProvider (only for providing callback handlers - username and password - and one simple granter - all that the granter does is to grant the ROLE_ADMIN to any authenticated principal)
- also, we have a custom LoginModule which does the actual authentication against the database; the core thing here is the commit method which does something like:
- the JAAS login.configuration file:
The authentication process works just fine, with one tiny exception: when trying to invoke EJB methods annotated for security (@RolesAllowed("ROLE_ADMIN"))) the granted authority (the role) is not transmitted correctly. I can see the authenticated principal in the SessionContex (sessionContext.getCallerPrincipal()), but as for the role, the EJB always throws an EJBAccessException.
What am I missing? What might be wrong here? Did I not properly understand the JAAS integration between layers?
Any advice is highly appreciated. Thanks in advance!