9 Replies Latest reply on Oct 16, 2001 3:02 AM by ko5tik

general security

mcarrion Sep 6, 2001 10:01 AM

Hello, I need some help trying to setup the security in my application...

I know it will sound really easy for you but It's being really complex for me.

I have a Servlet that calls to some session beans.
I want to protect only the beans, not the servlet. I created an implementation of SubjectSecurityManager and RealmMapping, it's a really dumb implementation... I added the assembly-descriptor in the deploy descriptors, etc...
But when I run the servlet, the user is not authenticated, what should I do???

Thanks,
Marc

1. Re: general security

mcarrion Sep 6, 2001 10:06 AM (in response to mcarrion)

That's the exception I get:

[LoginBean] Authentication exception, principal=null
[Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception i
s:
java.lang.SecurityException: Authentication exception, principal=null
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssoci
ation(SecurityInterceptor.java:169)
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(Security
Interceptor.java:92)
[Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogIntercepto
r.java:106)
[Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessS
essionContainer.java:268)
[Default] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke
Home(JRMPContainerInvoker.java:437)
[Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invokeHome(Ho
meProxy.java:237)
[Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomePr
oxy.java:182)
[Default] at $Proxy9.create(Unknown Source)
[Default] at LoginServlet.doGet(LoginServlet.java:63)

Thanks,
Marc
Actions
2. Re: general security

andreas Sep 6, 2001 10:12 AM (in response to mcarrion)

Understand I rigth?
You want that anybody can access Your servlet but the beans are secured?

Then implement a callback with default user and password in your servlet. The same as described in jaas doku for a single java client.

But notice: All beans will use the same callback independent of the user. This means, if You pass a authentication information to the callback the last user will be taken for all sessions.
Actions
3. Re: general security

mcarrion Sep 6, 2001 10:39 AM (in response to mcarrion)

I didn't want to protect the servlet, but if I had to protect it I protect it, I don't mind, the problem is what should I do to authenticate the user. I have bean that can authenticate the user using active directory from microsoft, I also have the security manager that authenticate the user if his name is 'test1', 'test2', 'testN'.

The problem is the browser should show a login dialog, should I do a html with the form (I already have one, but I don't know how to configure jboss to use it) That kind of things.

Thanks again,
Marc
Actions
4. Re: general security

juliaac Sep 6, 2001 6:30 PM (in response to mcarrion)

If you have jaas all set up, you can get a login screen by doing this in your web.xml:

<web-app>
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Realm</realm-name>
</login-config>
...
</web-app>

If you want to use your own login form you would say FORM instead of BASIC, but I can't find an example for the life of me. Maybe someone else could post one.

Hope that helped.
Actions
5. Re: general security

mcarrion Sep 7, 2001 4:20 AM (in response to mcarrion)

In <realm-name> what must I specify? The name of a class extending a generic class, the jndi name of this class, or what?

Thanks again,
M.
Actions
6. Re: general security

pkghosh Sep 26, 2001 7:53 PM (in response to mcarrion)

I also have a similar situation. My servlets don't need to be secured, but the ejb's do. I have taken the following approach for JAAs authentication. Please let me know if you find anything wrong.

- Use ClientLoginModule for client and UsersRolesLoginModule for server
- In the login servlet, use callback to supply the name and password for client side authentication and then call a secured ejb method for server side authentication. Store name and password in http session
- In other servlets, before any secured ejb call, use LoginContext and do client side authentication using name and password stored in the http session before the ejb call.

Is there a better way?

Thanks,
Pranab
Actions
7. Re: general security

ashu Oct 15, 2001 3:32 PM (in response to mcarrion)

Can you tell me how do i secure my JSP code kept in the JBoss server Root directory.
typically I would like to Encrypt my JSp code or a similar thing so that the code if stolen cannot be used by someone else from the web hosting dept.

is ther a standard methos ...?
Actions
8. Re: general security

jwkaltz Oct 16, 2001 2:33 AM (in response to mcarrion)

> - In the login servlet, use callback to supply the
> name and password for client side authentication and
> then call a secured ejb method for server side
> authentication. Store name and password in http
> session

Yeah, very similar here, I use the JBoss predefined callback
org.jboss.security.auth.callback.UsernamePasswordHandler
for that
Actions
9. It could be easier

ko5tik Oct 16, 2001 3:02 AM (in response to mcarrion)

You do not have to change all your JSP's

Why not to write an interceptor, which does exactly the same as JbossSecurityMgrRealm ( or even less? )

Hook up in pre-service, and setup principal/credential
for beans access as you like.

JbossSecurityMgrRealm would not do this for
requests which do no require authentication.
Actions

Go to original post