4 Replies Latest reply: Sep 21, 2004 5:19 AM by Nikola Ivačič RSS

HTTP invoker and BASIC authentication

Eric Jain Newbie

Is there any way to set a username and password when using the HTTP invoker? On the server side, I can of course set any restrictions in the web.xml file, but what to do on the client side?

java.naming.factory.initial=org.jboss.naming.HttpNamingContextFactory
java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
java.naming.provider.url=https://xyz:8443/invoker/JNDIFactory

context.lookup("something")

-> javax.naming.NamingException: Failed to retrieve Naming interface. Root exception is java.io.IOException: Server returned HTTP response code: 401 for URL: https://xyz:8443/invoker/JNDIFactory

  • 1. Re: HTTP invoker and BASIC authentication
    Nikola Ivačič Newbie

    Try this:

    
    import org.jboss.security.SecurityAssociation;
    import org.jboss.security.SimplePrincipal;
    import javax.naming.InitialContext;
    import javax.naming.Context;
    import java.util.Properties;
    
    ....
    Properties properties = new Properties();
     properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.HttpNamingContextFactory");
     properties.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
     properties.put(Context.PROVIDER_URL, "http://192.168.0.17:8080/invoker/JNDIFactory");
    
     SecurityAssociation.setCredential(password);
     SecurityAssociation.setPrincipal(new SimplePrincipal(user));
    
     InitialContext ctx = new InitialContext(properties);
    


    put jbossall-client.jar in classpath

    config/login-config.xml
    <application-policy name = "http-invoker">
     <authentication>
     <login-module code = "org.jboss.security.ClientLoginModule"
     flag = "required">
     </login-module>
     <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
     flag = "required">
     <module-option name = "unauthenticatedIdentity">guest</module-option>
     <module-option name = "dsJndiName">java:/MySQL-DS</module-option>
     <module-option name = "principalsQuery">SELECT passwd FROM jms_users WHERE name=?</module-option>
     <module-option name = "rolesQuery">SELECT jms_roles.name, 'Roles' FROM users_roles LEFT JOIN jms_roles, jms_users ON jms_roles.id = users_roles
    .id_role AND jms_users.id = users_roles.id_user WHERE jms_users.name=?</module-option>
     </login-module>
     </authentication>
     </application-policy>
    



    deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml
    <security-constraint>
     <web-resource-collection>
     <web-resource-name>HttpInvokers</web-resource-name>
     <description>An example security config that only allows users with the
     role HttpInvoker to access the HTTP invoker servlets
     </description>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
     <role-name>topic-manager</role-name>
     </auth-constraint>
     </security-constraint>
     <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>JBoss HTTP Invoker</realm-name>
     </login-config>
    
     <security-role>
     <role-name>topic-manager</role-name>
     </security-role>
    


    deploy/http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml
    <jboss-web>
     <security-domain>java:/jaas/http-invoker</security-domain>
    </jboss-web>
    


    the thing is that
    org.jboss.naming.HttpNamingContextFactory
    uses
    "org.jboss.invocation.http.interfaces.Util"
    which sets "java.net.Authenticator.setDefault()"
    with "org.jboss.invocation.http.interfaces.Util$SetAuthenticator"
    which uses "org.jboss.security.SecurityAssociationAuthenticator"
    that needs "org.jboss.security.SecurityAssociation"
    that holds Credential and Pricipal object

    But you might have some problems with SSL.

    p.s. I took me 2 days to come up with thise lines (I guess I have IQ problem :-)

  • 2. Re: HTTP invoker and BASIC authentication
    Nikola Iva&#269;i&#269; Newbie

    forgot to tell to include in classpath also:

    /opt/jboss/server/default/lib/jbosssx.jar

  • 3. Re: HTTP invoker and BASIC authentication
    Scott Stark Master

    You do a JAAS login using the LoginContext class the same as every other client side security usecase in jboss. Direct use of SecurityAssociation is an unsupported usage.

  • 4. Re: HTTP invoker and BASIC authentication
    Nikola Iva&#269;i&#269; Newbie

    Thanks and my apologies. Here is the correction of the client side:

    client auth.conf

    client-http-invoker {
     org.jboss.security.ClientLoginModule required
     ;
    };
    



    simple login handler class (taken from JAAS sticky/documentation):
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.NameCallback;
    import javax.security.auth.callback.PasswordCallback;
    
    public class LoginHandler implements CallbackHandler{
    
     private String username;
     private String password;
    
     public LoginHandler(String username, String password){
     this.password = password;
     this.username = username;
     }
    
     public void handle(Callback[] callbacks){
    
     for(int j = 0; j < callbacks.length; j++){
    
     if(callbacks[j] instanceof NameCallback){
     NameCallback nc = (NameCallback)callbacks[j];
     nc.setName(this.username);
     }else if(callbacks[j] instanceof PasswordCallback){
     PasswordCallback pc = (PasswordCallback)callbacks[j];
     pc.setPassword(this.password.toCharArray());
     }
     }
    
     }
    }
    


    client.java:
    import javax.naming.InitialContext;
    import javax.naming.Context;
    import javax.security.auth.login.LoginContext;
    import java.util.Properties;
    
    ....
    
     Properties properties = new Properties();
     properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.HttpNamingContextFactory");
     properties.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
     properties.put(Context.PROVIDER_URL, "http://192.168.0.17:8080/invoker/JNDIFactory");
    
     LoginHandler lh = new LoginHandler(user, password);
     LoginContext lctx = new LoginContext("client-http-invoker", lh);
     lctx.login();
    
     InitialContext ctx = new InitialContext(properties);
    
    ....
    


    client VM parameters:
    -Djava.security.auth.login.config=auth.conf


    The server configuration remains the same;

    I'm also not certain that "org.jboss.security.ClientLoginModule" is the correct one but never the less this works...

    But "jbosssx.jar" is still needed in classpath due to "org.jboss.security.GetPrincipalInfoAction" and it's dependencies

    I'm not shure why this isn't part of "jbossall-client.jar" maybe I did't read the required docs again and the above code is not correct.

    Sorry I did't read the JAAS sticky/documentation due to a limited time frame.