1 2 Previous Next 19 Replies Latest reply: Aug 2, 2010 2:08 AM by Gaurav Agarwal RSS

JAAS + EJB3.0 + Jboss unable to propaogate

Gaurav Agarwal Newbie

Hi,

 

I have made a application where the user(client) will get authenticated then he/she can call ejb methods for some modifications where it has to be authorised.

But the problem i''m having is that when my client is getting authenticated then also while calling the ejb module its always showing Invalid User althogh the user has been authenticated. The subject and all its principal values are also being propagated.

 

So how do i get the same thing done

 

i have a UserServlet(this is client end) as Given below

 

 

PasswordCallbackHandler handler = new PasswordCallbackHandler();
LoginContext loginContext = new LoginContext("PassAuth",handler);
         loginContext.login();

        Set<Principal> pricipalSet =
        loginContext.getSubject().getPrincipals();
        Set<Principal> pricipalSet =
        loginContext.getSubject().getPrincipals();

        Iterator iterator = pricipalSet.iterator();
        System.out.println("Principal = ");

        while(iterator.hasNext()) {
         Principal principal = (Principal) iterator.next();
//            SecurityAssociation.setPrincipal(principal);
         System.out.println(""+principal.getName());
        }//while()
       
            System.out.println("value of subject is "+loginContext.getSubject());
            Subject.doAs(loginContext.getSubject(), new PrivilegedAction() {
                     public Object run() {
                  System.out.println("in do As PrivilegedAction ................ ");
                  try {
                        Properties properties = new Properties();
                  properties.setProperty("INITIAL_CONTEXT_FACTORY","org.jnp.interfaces.NamingContextFactory");
                  properties.setProperty("URL_PKG_PREFIXES","org.jboss.naming:org.jnp.interfaces");
                  properties.setProperty("PROVIDER_URL","jnp://localhost:1099");
                  properties.put(Context.SECURITY_PRINCIPAL, "avril");

                   Context  context = new InitialContext(properties);
                    Object object = context.lookup("java/AttributeBI/remote");
                    System.out.println("Object ============="+object);
                    AttributeBI attributeBI = (AttributeBI) object;
                    Attribute attribute = new Attribute();
                    attribute.setDataType("test");
                                    
                    System.out.println("SecurityAssociation.getSubject :: "+SecurityAssociation.getSubject());
                   
                    attributeBI.createAttribute(attribute);
                   
                  }catch(Exception exception) {

                   exception.printStackTrace();
                  }
                  
                  return true;
                 }
             });

          
            loginContext.logout();

 

 

Now this uses a config file. PassAuth.conf

 

PassAuth {
   // jBoss LoginModule
   //com.mqa.iam.module.PasswordLoginModule required debug="true";
  org.jboss.security.ClientLoginModule required;
};

 

 

My PasswordLoginModule is as below.

Here in this i'm geting credentials of the subject but even then its showing invalid user.

 

 

public void initialize(Subject subject,
                           CallbackHandler callbackHandler,
                           Map sharedState,
                           Map options) {
     
        System.out.println("----------Initialization In Login Module----------");
        this.subject=subject;
        this.callbackHandler=callbackHandler;
        this.sharedState=sharedState;
        this.option=options;
        vector_principal = new Vector();
        vector_credentials = new Vector();

        SecurityAssociation.setServer();
       
//      SecurityAssociationActions.setServer();
        if(option.containsKey("debug")) {
            debug = "true".equals(option.get("debug"));
        }//if
  }//Initialization

   
    public boolean login() throws LoginException {

        if( debug ) {

          Callback[] callbacks = new Callback[2];
          callbacks[0] = new NameCallback("UserName :");
          callbacks[1] = new PasswordCallback("Password :", true);
          try {
          callbackHandler.handle(callbacks);
          }catch(Exception ex){
              ex.printStackTrace();
          }
         NameCallback nameCallback = (NameCallback) callbacks[0];
         PasswordCallback passwordCallback = (PasswordCallback) callbacks[1];

            System.out.println("userName =========="+nameCallback.getName());
            System.out.println("pwd ======================"+passwordCallback.getPassword());
            
         /* set principle as user's username */
           user_principal=new UserPrincipal(nameCallback.getName());
            vector_principal.add(user_principal);
            boolean f = SecurityAssociation.isServer();
            System.out.println("flag ================="+f);        
        }//if
        return true;
    }//login()

 

 

 

Please help me solve it.

  • 1. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    This is the output i'm getting...

     

     

    17:21:16,803 INFO  [TomcatDeployment] undeploy, ctxPath=/JaasWeb-war
    17:21:19,311 INFO  [TomcatDeployment] deploy, ctxPath=/JaasWeb-war
    17:22:20,445 INFO  [STDOUT] in do get ......................
    17:22:20,466 INFO  [STDOUT] ----------Initialization In Login Module----------
    17:22:20,479 INFO  [STDOUT] In handle() .........................
    17:22:20,479 INFO  [STDOUT] *UserName :
    17:22:20,479 INFO  [STDOUT] *Password :
    17:22:20,479 INFO  [STDOUT] userName ==========hell
    17:22:20,479 INFO  [STDOUT] pwd ======================[C@13db262
    17:22:20,480 INFO  [STDOUT] flag =================true
    17:22:20,482 INFO  [STDOUT] In handle() .........................
    17:22:20,482 INFO  [STDOUT] *User name: 
    17:22:20,482 INFO  [STDOUT] *Password: 
    17:22:20,483 INFO  [STDOUT] ------------Commit Event----------
    17:22:20,488 INFO  [STDOUT] Principal = 
    17:22:20,488 INFO  [STDOUT] hell
    17:22:20,488 INFO  [STDOUT] value of subject is Subject:
            Principal: com.mqa.iam.principle.UserPrincipal@15d1f22
    17:22:20,489 INFO  [STDOUT] in do As PrivilegedAction ................ 
    17:22:20,495 INFO  [STDOUT] Object =============Proxy to jboss.j2ee:jar=PROTOTYPE.jar,
              name=java/AttributeBI,service=EJB3 implementing [interface com.mqa.iam.bi.AttributeBI]
    17:22:20,496 INFO  [STDOUT] SecurityAssociation.getSubject :: Subject:
            Principal: com.mqa.iam.principle.UserPrincipal@15d1f22
    17:22:20,525 ERROR [STDERR] javax.ejb.EJBAccessException: Invalid User
    17:22:20,526 ERROR [STDERR]         at org.jboss.ejb3.security.
                        Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationIntercepto
    
  • 2. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    jaikiran pai Master

    Which version of JBoss AS is this?

  • 3. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    I'm using jboss-5.1.0.GA...

  • 4. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    jaikiran pai Master

    Gaurav Agarwal wrote:

     

    
                            Properties properties = new Properties();
                      properties.setProperty("INITIAL_CONTEXT_FACTORY","org.jnp.interfaces.NamingContextFactory");
                      properties.setProperty("URL_PKG_PREFIXES","org.jboss.naming:org.jnp.interfaces");
                      properties.setProperty("PROVIDER_URL","jnp://localhost:1099");
                      properties.put(Context.SECURITY_PRINCIPAL, "avril");
     
    

     


    Passing of security principal through jndi context properties will not work in AS-5. See Q10 (specifically the note about AS-5)  in security FAQ http://community.jboss.org/wiki/SecurityFAQ

  • 5. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    Ya i made modifiacation according to that in my code...

    even then now the new code is like this

     

     

     

            Properties properties = new Properties();
    
            properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory");
            properties.setProperty(Context.URL_PKG_PREFIXES,"org.jboss.naming.client");
            properties.setProperty(Context.PROVIDER_URL,"jnp://localhost:1099");
    

     

     

    Even after that its giving me unauthorised user.

     

    Thanks in advance.

  • 6. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    jaikiran pai Master

    The wiki says more than that. You will have to you a JBoss security specific class to login/logout. Have you done that?

  • 7. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    No i have defined a seperate class for that.

    In the first code i have poseted has same login and logout thing.

     

    And wher edo we need to define this claas.

    Can u please provide me the souce code if possible.

     

     

    Thanks.

  • 8. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    jaikiran pai Master

    Did you read Q10 in the SecurityFAQ that I pointed to you earlier? It already has the source code example, the details and a link to the forum thread discussing a similar issue.

  • 9. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    Thnks for so quick review.

     

    If i remove the secuirty domain from my jboss.xml and from @SecurityDomain from ejb then its working fine.

     

    Ya i read that point and applied as well and applied it. So i needed some jar that is jboss-security-spi-as4-2.0.4.SP3.jar after adding this

    there is some other confilcts coming in between the library files.

  • 10. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    jaikiran pai Master

    Gaurav Agarwal wrote:

     

     

     

    If i remove the secuirty domain from my jboss.xml and from @SecurityDomain from ejb then its working fine.

     

    That effectively disables security on your EJBs.

     

    Gaurav Agarwal wrote:

     


    Ya i read that point and applied as well and applied it. So i needed some jar that is jboss-security-spi-as4-2.0.4.SP3.jar after adding this

    there is some other confilcts coming in between the library files.

     

    Where did you add that jar file? In your client application? And what kind of conflicts do you see? You shouldn't be packaging that jar file in your application. Also make sure you are using the correct version of the jar file in your client classpath. It should be of the same version as that on the server.

  • 11. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    I have tried lot many things but i'm unable to solve the issue.

    Here have attached the zip files for webapplication as well as the ejb one u can check them out and the login-config.xml looks like (the modification)

     

     

    <application-policy name="PassAuth">
        <authentication>
          <login-module code="com.mq.VerificationLoginModule"
            flag="required">
            <module-option name="debug">true</module-option>
          </login-module>
          <login-module code="org.jboss.security.ClientLoginModule" flag="required"></login-module>
    
        </authentication>
      </application-policy>

     

     

    Please help. N thanks for all ur support.

  • 12. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Wolfgang Knauf Master

    Hi,

     

    I think you could use a simpler approach to your login module, as you need the standard functionality of username + password plus an additional EJB access check.

     

    So, your login module could be a subclass of e.g. "org.jboss.security.auth.spi.DatabaseServerLoginModule" (source code e.g. here: http://www.docjar.com/html/api/org/jboss/security/auth/spi/DatabaseServerLoginModule.java.html ) , and you might add your own EJB access check to an override of "getRoleSets":

     

    @Override

    protected Group[] getRoleSets() throws LoginException
    {
      String username = getUsername();

      Group[] roleSets = super.getRoleSets();

     

      //Try to access EJB here:

      if ( ejbaccessFail)

      {

        roleSets = new Group[0];

      }

     

      return roleSets;
    }

     

    If the EJB access fails with a security exception, you could return an empty RoleSet.

     

    Think about it, hopefully your security config will become much easier by this, and hopefully error detection will be easier.

     

    By the way: to configure your login module, you might use this approach, too (you need 5.1 for this): http://server.dzone.com/articles/security-features-jboss-510

     

    Best regards

     

    Wolfgang

  • 13. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Gaurav Agarwal Newbie

    Thans for all ur support.

    Finally i'm able to propagate my user principal by using my own LoginModule as well as the orj.jboss.security.ClientLoginModule

    for the propagation of values. without which its not done....

     

    The other issue i'm facing to resolve is that the user roles are not getting well versed. If i apply @RolesAllowed to any ejb then

    that makes it always the Caller unauthorized exception. Although it has been authenticated.

     

    So how do i make that...

    Please help.

     

    Thanks & Regards

  • 14. Re: JAAS + EJB3.0 + Jboss unable to propaogate
    Wolfgang Knauf Master

    Hi,

     

    I don't know whether login works for JBoss by simply implementing "javax.security.auth.spi.LoginModule". I think your own login modules should plug in the JBoss security framework ("JBossSX"), which is done by subclassing "org.jboss.security.auth.spi.AbstractServerLoginModule".

    Your own approach seems to build a custom security framework which does not play together with JBoss ;-).

     

    The failing "@RolesAllowed" are a symptom of this: take a look at my last post, the method "getRoleSets" returns a list of user roles which are mapped against those RolesAllowed. But the concept of roles is missing in your LoginModule implementation, so that JBoss cannot do anything about it.

     

    Hope this helps

     

    Wolfgang

1 2 Previous Next