-
1. Re: general security
mcarrion Sep 6, 2001 10:06 AM (in response to mcarrion)That's the exception I get:
[LoginBean] Authentication exception, principal=null
[Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception i
s:
java.lang.SecurityException: Authentication exception, principal=null
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssoci
ation(SecurityInterceptor.java:169)
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(Security
Interceptor.java:92)
[Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogIntercepto
r.java:106)
[Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessS
essionContainer.java:268)
[Default] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke
Home(JRMPContainerInvoker.java:437)
[Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invokeHome(Ho
meProxy.java:237)
[Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomePr
oxy.java:182)
[Default] at $Proxy9.create(Unknown Source)
[Default] at LoginServlet.doGet(LoginServlet.java:63)
Thanks,
Marc -
2. Re: general security
andreas Sep 6, 2001 10:12 AM (in response to mcarrion)Understand I rigth?
You want that anybody can access Your servlet but the beans are secured?
Then implement a callback with default user and password in your servlet. The same as described in jaas doku for a single java client.
But notice: All beans will use the same callback independent of the user. This means, if You pass a authentication information to the callback the last user will be taken for all sessions. -
3. Re: general security
mcarrion Sep 6, 2001 10:39 AM (in response to mcarrion)I didn't want to protect the servlet, but if I had to protect it I protect it, I don't mind, the problem is what should I do to authenticate the user. I have bean that can authenticate the user using active directory from microsoft, I also have the security manager that authenticate the user if his name is 'test1', 'test2', 'testN'.
The problem is the browser should show a login dialog, should I do a html with the form (I already have one, but I don't know how to configure jboss to use it) That kind of things.
Thanks again,
Marc -
4. Re: general security
juliaac Sep 6, 2001 6:30 PM (in response to mcarrion)If you have jaas all set up, you can get a login screen by doing this in your web.xml:
<web-app>
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Realm</realm-name>
</login-config>
...
</web-app>
If you want to use your own login form you would say FORM instead of BASIC, but I can't find an example for the life of me. Maybe someone else could post one.
Hope that helped. -
5. Re: general security
mcarrion Sep 7, 2001 4:20 AM (in response to mcarrion)In <realm-name> what must I specify? The name of a class extending a generic class, the jndi name of this class, or what?
Thanks again,
M. -
6. Re: general security
pkghosh Sep 26, 2001 7:53 PM (in response to mcarrion)I also have a similar situation. My servlets don't need to be secured, but the ejb's do. I have taken the following approach for JAAs authentication. Please let me know if you find anything wrong.
- Use ClientLoginModule for client and UsersRolesLoginModule for server
- In the login servlet, use callback to supply the name and password for client side authentication and then call a secured ejb method for server side authentication. Store name and password in http session
- In other servlets, before any secured ejb call, use LoginContext and do client side authentication using name and password stored in the http session before the ejb call.
Is there a better way?
Thanks,
Pranab -
7. Re: general security
ashu Oct 15, 2001 3:32 PM (in response to mcarrion)Can you tell me how do i secure my JSP code kept in the JBoss server Root directory.
typically I would like to Encrypt my JSp code or a similar thing so that the code if stolen cannot be used by someone else from the web hosting dept.
is ther a standard methos ...? -
8. Re: general security
jwkaltz Oct 16, 2001 2:33 AM (in response to mcarrion)> - In the login servlet, use callback to supply the
> name and password for client side authentication and
> then call a secured ejb method for server side
> authentication. Store name and password in http
> session
Yeah, very similar here, I use the JBoss predefined callback
org.jboss.security.auth.callback.UsernamePasswordHandler
for that -
9. It could be easier
ko5tik Oct 16, 2001 3:02 AM (in response to mcarrion)You do not have to change all your JSP's
Why not to write an interceptor, which does exactly the same as JbossSecurityMgrRealm ( or even less? )
Hook up in pre-service, and setup principal/credential
for beans access as you like.
JbossSecurityMgrRealm would not do this for
requests which do no require authentication.