1 2 Previous Next 19 Replies Latest reply on Aug 2, 2010 2:08 AM by gauravag

    JAAS + EJB3.0 + Jboss unable to propaogate

    gauravag

      Hi,

       

      I have made a application where the user(client) will get authenticated then he/she can call ejb methods for some modifications where it has to be authorised.

      But the problem i''m having is that when my client is getting authenticated then also while calling the ejb module its always showing Invalid User althogh the user has been authenticated. The subject and all its principal values are also being propagated.

       

      So how do i get the same thing done

       

      i have a UserServlet(this is client end) as Given below

       

       

      PasswordCallbackHandler handler = new PasswordCallbackHandler();
      LoginContext loginContext = new LoginContext("PassAuth",handler);
               loginContext.login();
      
              Set<Principal> pricipalSet =
              loginContext.getSubject().getPrincipals();
              Set<Principal> pricipalSet =
              loginContext.getSubject().getPrincipals();
      
              Iterator iterator = pricipalSet.iterator();
              System.out.println("Principal = ");
      
              while(iterator.hasNext()) {
               Principal principal = (Principal) iterator.next();
      //            SecurityAssociation.setPrincipal(principal);
               System.out.println(""+principal.getName());
              }//while()
             
                  System.out.println("value of subject is "+loginContext.getSubject());
                  Subject.doAs(loginContext.getSubject(), new PrivilegedAction() {
                           public Object run() {
                        System.out.println("in do As PrivilegedAction ................ ");
                        try {
                              Properties properties = new Properties();
                        properties.setProperty("INITIAL_CONTEXT_FACTORY","org.jnp.interfaces.NamingContextFactory");
                        properties.setProperty("URL_PKG_PREFIXES","org.jboss.naming:org.jnp.interfaces");
                        properties.setProperty("PROVIDER_URL","jnp://localhost:1099");
                        properties.put(Context.SECURITY_PRINCIPAL, "avril");
      
                         Context  context = new InitialContext(properties);
                          Object object = context.lookup("java/AttributeBI/remote");
                          System.out.println("Object ============="+object);
                          AttributeBI attributeBI = (AttributeBI) object;
                          Attribute attribute = new Attribute();
                          attribute.setDataType("test");
                                          
                          System.out.println("SecurityAssociation.getSubject :: "+SecurityAssociation.getSubject());
                         
                          attributeBI.createAttribute(attribute);
                         
                        }catch(Exception exception) {
      
                         exception.printStackTrace();
                        }
                        
                        return true;
                       }
                   });
      
                
                  loginContext.logout();
      

       

       

      Now this uses a config file. PassAuth.conf

       

      PassAuth {
         // jBoss LoginModule
         //com.mqa.iam.module.PasswordLoginModule required debug="true";
        org.jboss.security.ClientLoginModule required;
      };
      

       

       

      My PasswordLoginModule is as below.

      Here in this i'm geting credentials of the subject but even then its showing invalid user.

       

       

      public void initialize(Subject subject,
                                 CallbackHandler callbackHandler,
                                 Map sharedState,
                                 Map options) {
           
              System.out.println("----------Initialization In Login Module----------");
              this.subject=subject;
              this.callbackHandler=callbackHandler;
              this.sharedState=sharedState;
              this.option=options;
              vector_principal = new Vector();
              vector_credentials = new Vector();
      
              SecurityAssociation.setServer();
             
      //      SecurityAssociationActions.setServer();
              if(option.containsKey("debug")) {
                  debug = "true".equals(option.get("debug"));
              }//if
        }//Initialization
      
         
          public boolean login() throws LoginException {
      
              if( debug ) {
      
                Callback[] callbacks = new Callback[2];
                callbacks[0] = new NameCallback("UserName :");
                callbacks[1] = new PasswordCallback("Password :", true);
                try {
                callbackHandler.handle(callbacks);
                }catch(Exception ex){
                    ex.printStackTrace();
                }
               NameCallback nameCallback = (NameCallback) callbacks[0];
               PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];
      
                  System.out.println("userName =========="+nameCallback.getName());
                  System.out.println("pwd ======================"+passwordCallback.getPassword());
                  
               /* set principle as user's username */
                 user_principal=new UserPrincipal(nameCallback.getName());
                  vector_principal.add(user_principal);
                  boolean f = SecurityAssociation.isServer();
                  System.out.println("flag ================="+f);        
              }//if
              return true;
          }//login()
      

       

       

       

      Please help me solve it.

        • 1. Re: JAAS + EJB3.0 + Jboss unable to propaogate
          gauravag

          This is the output i'm getting...

           

           

          17:21:16,803 INFO  [TomcatDeployment] undeploy, ctxPath=/JaasWeb-war
          17:21:19,311 INFO  [TomcatDeployment] deploy, ctxPath=/JaasWeb-war
          17:22:20,445 INFO  [STDOUT] in do get ......................
          17:22:20,466 INFO  [STDOUT] ----------Initialization In Login Module----------
          17:22:20,479 INFO  [STDOUT] In handle() .........................
          17:22:20,479 INFO  [STDOUT] *UserName :
          17:22:20,479 INFO  [STDOUT] *Password :
          17:22:20,479 INFO  [STDOUT] userName ==========hell
          17:22:20,479 INFO  [STDOUT] pwd ======================[C@13db262
          17:22:20,480 INFO  [STDOUT] flag =================true
          17:22:20,482 INFO  [STDOUT] In handle() .........................
          17:22:20,482 INFO  [STDOUT] *User name: 
          17:22:20,482 INFO  [STDOUT] *Password: 
          17:22:20,483 INFO  [STDOUT] ------------Commit Event----------
          17:22:20,488 INFO  [STDOUT] Principal = 
          17:22:20,488 INFO  [STDOUT] hell
          17:22:20,488 INFO  [STDOUT] value of subject is Subject:
                  Principal: com.mqa.iam.principle.UserPrincipal@15d1f22
          17:22:20,489 INFO  [STDOUT] in do As PrivilegedAction ................ 
          17:22:20,495 INFO  [STDOUT] Object =============Proxy to jboss.j2ee:jar=PROTOTYPE.jar,
                    name=java/AttributeBI,service=EJB3 implementing [interface com.mqa.iam.bi.AttributeBI]
          17:22:20,496 INFO  [STDOUT] SecurityAssociation.getSubject :: Subject:
                  Principal: com.mqa.iam.principle.UserPrincipal@15d1f22
          17:22:20,525 ERROR [STDERR] javax.ejb.EJBAccessException: Invalid User
          17:22:20,526 ERROR [STDERR]         at org.jboss.ejb3.security.
                              Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationIntercepto
          
          • 2. Re: JAAS + EJB3.0 + Jboss unable to propaogate
            jaikiran

            Which version of JBoss AS is this?

            • 3. Re: JAAS + EJB3.0 + Jboss unable to propaogate
              gauravag

              I'm using jboss-5.1.0.GA...

              • 4. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                jaikiran

                Gaurav Agarwal wrote:

                 

                
                                        Properties properties = new Properties();
                                  properties.setProperty("INITIAL_CONTEXT_FACTORY","org.jnp.interfaces.NamingContextFactory");
                                  properties.setProperty("URL_PKG_PREFIXES","org.jboss.naming:org.jnp.interfaces");
                                  properties.setProperty("PROVIDER_URL","jnp://localhost:1099");
                                  properties.put(Context.SECURITY_PRINCIPAL, "avril");
                 
                

                 


                Passing of security principal through jndi context properties will not work in AS-5. See Q10 (specifically the note about AS-5)  in security FAQ http://community.jboss.org/wiki/SecurityFAQ

                • 5. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                  gauravag

                  Ya i made modifiacation according to that in my code...

                  even then now the new code is like this

                   

                   

                   

                          Properties properties = new Properties();
                  
                          properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory");
                          properties.setProperty(Context.URL_PKG_PREFIXES,"org.jboss.naming.client");
                          properties.setProperty(Context.PROVIDER_URL,"jnp://localhost:1099");
                  

                   

                   

                  Even after that its giving me unauthorised user.

                   

                  Thanks in advance.

                  • 6. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                    jaikiran

                    The wiki says more than that. You will have to you a JBoss security specific class to login/logout. Have you done that?

                    • 7. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                      gauravag

                      No i have defined a seperate class for that.

                      In the first code i have poseted has same login and logout thing.

                       

                      And wher edo we need to define this claas.

                      Can u please provide me the souce code if possible.

                       

                       

                      Thanks.

                      • 8. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                        jaikiran

                        Did you read Q10 in the SecurityFAQ that I pointed to you earlier? It already has the source code example, the details and a link to the forum thread discussing a similar issue.

                        • 9. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                          gauravag

                          Thnks for so quick review.

                           

                          If i remove the secuirty domain from my jboss.xml and from @SecurityDomain from ejb then its working fine.

                           

                          Ya i read that point and applied as well and applied it. So i needed some jar that is jboss-security-spi-as4-2.0.4.SP3.jar after adding this

                          there is some other confilcts coming in between the library files.

                          • 10. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                            jaikiran

                            Gaurav Agarwal wrote:

                             

                             

                             

                            If i remove the secuirty domain from my jboss.xml and from @SecurityDomain from ejb then its working fine.

                             

                            That effectively disables security on your EJBs.

                             

                            Gaurav Agarwal wrote:

                             


                            Ya i read that point and applied as well and applied it. So i needed some jar that is jboss-security-spi-as4-2.0.4.SP3.jar after adding this

                            there is some other confilcts coming in between the library files.

                             

                            Where did you add that jar file? In your client application? And what kind of conflicts do you see? You shouldn't be packaging that jar file in your application. Also make sure you are using the correct version of the jar file in your client classpath. It should be of the same version as that on the server.

                            • 11. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                              gauravag

                              I have tried lot many things but i'm unable to solve the issue.

                              Here have attached the zip files for webapplication as well as the ejb one u can check them out and the login-config.xml looks like (the modification)

                               

                               

                              <application-policy name="PassAuth">
                                  <authentication>
                                    <login-module code="com.mq.VerificationLoginModule"
                                      flag="required">
                                      <module-option name="debug">true</module-option>
                                    </login-module>
                                    <login-module code="org.jboss.security.ClientLoginModule" flag="required"></login-module>
                              
                                  </authentication>
                                </application-policy>

                               

                               

                              Please help. N thanks for all ur support.

                              • 12. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                                wolfgangknauf

                                Hi,

                                 

                                I think you could use a simpler approach to your login module, as you need the standard functionality of username + password plus an additional EJB access check.

                                 

                                So, your login module could be a subclass of e.g. "org.jboss.security.auth.spi.DatabaseServerLoginModule" (source code e.g. here: http://www.docjar.com/html/api/org/jboss/security/auth/spi/DatabaseServerLoginModule.java.html ) , and you might add your own EJB access check to an override of "getRoleSets":

                                 

                                @Override

                                protected Group[] getRoleSets() throws LoginException
                                {
                                  String username = getUsername();

                                  Group[] roleSets = super.getRoleSets();

                                 

                                  //Try to access EJB here:

                                  if ( ejbaccessFail)

                                  {

                                    roleSets = new Group[0];

                                  }

                                 

                                  return roleSets;
                                }

                                 

                                If the EJB access fails with a security exception, you could return an empty RoleSet.

                                 

                                Think about it, hopefully your security config will become much easier by this, and hopefully error detection will be easier.

                                 

                                By the way: to configure your login module, you might use this approach, too (you need 5.1 for this): http://server.dzone.com/articles/security-features-jboss-510

                                 

                                Best regards

                                 

                                Wolfgang

                                • 13. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                                  gauravag

                                  Thans for all ur support.

                                  Finally i'm able to propagate my user principal by using my own LoginModule as well as the orj.jboss.security.ClientLoginModule

                                  for the propagation of values. without which its not done....

                                   

                                  The other issue i'm facing to resolve is that the user roles are not getting well versed. If i apply @RolesAllowed to any ejb then

                                  that makes it always the Caller unauthorized exception. Although it has been authenticated.

                                   

                                  So how do i make that...

                                  Please help.

                                   

                                  Thanks & Regards

                                  • 14. Re: JAAS + EJB3.0 + Jboss unable to propaogate
                                    wolfgangknauf

                                    Hi,

                                     

                                    I don't know whether login works for JBoss by simply implementing "javax.security.auth.spi.LoginModule". I think your own login modules should plug in the JBoss security framework ("JBossSX"), which is done by subclassing "org.jboss.security.auth.spi.AbstractServerLoginModule".

                                    Your own approach seems to build a custom security framework which does not play together with JBoss ;-).

                                     

                                    The failing "@RolesAllowed" are a symptom of this: take a look at my last post, the method "getRoleSets" returns a list of user roles which are mapped against those RolesAllowed. But the concept of roles is missing in your LoginModule implementation, so that JBoss cannot do anything about it.

                                     

                                    Hope this helps

                                     

                                    Wolfgang

                                    1 2 Previous Next