-
15. Re: JAAS Authorization problem
kpseal Jul 23, 2002 3:42 AM (in response to yoni)Matt, have you been able to make any progress on this? It's been driving me up the wall for a week now and I'm about to give up and implement my own security in the web tier.
Any thoughts on how to avoid this would be greatly appreciated! -
16. Re: JAAS Authorization problem
mattvincent Jul 23, 2002 1:49 PM (in response to yoni)Yes, it is driving me crazy too. I listed a few of the other (unanswered) related questions in this FAQ post: http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ I've been hoping that the JAAS Guru (Scott Stark) would just magically post an answer (or simply a pointer to the existing code that is managing this for the single-JVM JBoss-Tomcat).
I'll definately let you know if I come up with a solution in the next couple of days. -
17. Re: JAAS Authorization problem
mattvincent Jul 25, 2002 5:06 PM (in response to yoni)OK, from looking at this for 30 secs, looks like this could be easy. Check out the 2 classes in:
JBoss-2.4.4-src\contrib\tomcat\src\main\org\jboss\tomcat\security
Then note how in the JBoss-Tomcat bundle (I'm looking at Jboss-2.4.7_Tomcat-3.2.3) has this as the last RequestInterceptor in server.xml:
<!-- JBoss, Perform authentication and authorization using the security-domain
security manager.
-->
gets the Security Mgr through JNDI using
// Get the JBoss security manager from the ENC context
try
{
InitialContext iniCtx = new InitialContext();
securityCtx = (Context) iniCtx.lookup("java:comp/env/security");
This is accessible from outside the JVM right? (e.g. java:comp/env/security)
I hope this is all really this simple. Will try out tonight and post my results tomorrow. -
18. Re: JAAS Authorization problem
kpseal Sep 8, 2002 1:53 PM (in response to yoni)Well, it's a month down the line and I still can't find a solution to this under JBoss 3.0.0, even with the source code.
I'm beginning to believe that I'm gonna have to write my own Servlet Filter to handle security! But that'd be about as portable as a ThinkPad, though.
So, just on the off-chance that someone's had an epiphany of late:
Please, does anyone know how to get my Catalina instance to use the principal that my JBoss 3.0.0 instance is using? -
19. Re: JAAS Authorization problem
jmejia424 Sep 9, 2002 8:41 PM (in response to yoni)Ditto! This seems like a problem that a lot of people are experiencing. Can someone please post the solution.
How can I get my Catalina instance to TEMPORARILY use the principal that my JBoss 3.0.0 instance is using? -
20. Re: JAAS Authorization problem
simon.nicholls Dec 10, 2002 8:40 AM (in response to yoni)Yoni, I think that you need to use a PrivilegedAction to wrap your access to the ejbs, and then use Subject.doAs - passing in your authenticated subject plus the action.
eg:
public class MyAction implements PrivilegedAction {
public Object run() {
Object somethingToReturn = null;
try{
Context initialContext = new InitialContext();
AnEJBHome anEJBHome = (AnEJBHome)initialContext.lookup("ejb/AnEJB");
AnEJB anEJB = anEJBHome.create();
somethingToReturn = anEJB.getSomethingToReturn();
}
catch (Exception e){}
return somethingToReturn;
}
Object result = Subject.doAs(loggedInsubject,((PrivilegedAction)new MyAction());
By using a PrivilegedAction, security details are propagated along with the call. -
21. Re: JAAS Authorization problem
simon.nicholls Dec 10, 2002 8:49 AM (in response to yoni)I should add that I think this is because prior to logging in and successfully accessing a servlet within security-constraints, there is no wrapper to propagate security details - as it's declared in the web.xml that none are needed!
I really really wish you could get hold of that remote_user, principal and role info though.... -
22. Re: JAAS Authorization problem
simon.nicholls Dec 10, 2002 9:09 AM (in response to yoni)KPSeal, I think your best bet is to use a declarative login (which can be automated) & then post-process once complete.
You should be able to get anything you need done that way (bar non single user/pass field auth), and in a more portable manner.
Are you still checking the "wall of silence" for graffiti? :-) I'm wondering exactly what you need done, and I'll try to help if I can! -
23. Re: JAAS Authorization problem
mbussa Dec 10, 2002 10:09 AM (in response to yoni)I am also seeing similar problem. I hope there is a solution for this.
Thanks -
24. Re: JAAS Authorization problem
simon.nicholls Dec 10, 2002 11:04 AM (in response to yoni)Hi mbussa, did Subject.doAs not work for you? You'll get a principal of null if you make ejb calls outside of the security framework.
Was it Application Clients you had trouble with? Here's an example at Sun:
http://216.239.37.100/search?q=cache:8QP3tKW9S2QC:access1.sun.com/codesamples/J2SE-JAASexample-part1.html+Subject.doAs&hl=en&ie=UTF-8 -
25. Re: JAAS Authorization problem
mbussa Dec 10, 2002 11:30 AM (in response to yoni)Hi Simon,
I did tried the Subject.doAs(). It didnt work. I was able to get authenticated ( stand alone client ) from jboss server. Able to print the subject. But when i try to create a secure EJB session bean i get security exception " principal is null ". Try the search the web for solutions but no luck.
Thanks -
26. Re: JAAS Authorization problem
mbussa Dec 10, 2002 11:32 AM (in response to yoni)Hi Simon,
BTW, i am getting exceptions at both ends ( server as well as client)
Thanks -
27. wrappers like would break JSP Tag pages
kenkyee Mar 3, 2003 2:50 PM (in response to yoni)Wouldn't wrappers like this break pages that use JSP tags to access EJBs? I.e., you'd have to code access to the EJBs in Java. I suppose you could write your own JSP tags to wrap this access, but that seems like a hack workaround for something that should be functional in Tomcat/JBoss.
The real issue seems to be that you can't share logins and roles properly between Tomcat and JBoss (and probably different web apps on the same server). -
28. Re: wrappers like would break JSP Tag pages
mickknutson Apr 1, 2003 2:38 PM (in response to yoni)WOW. I have never seen an issue go on so long without being resolved....
I have been fighting with JAAS and j_security_check for 2 months now.
I am trying to find out why my principal works fine, but mz roles do not carry over ever?
I get method permission errors but defined run-as attribute on all my ejb's. -
29. Re: wrappers like would break JSP Tag pages
craigdberry Apr 3, 2003 2:30 AM (in response to yoni)I'm the latest one in this mess. Mine doesn't even involve EJBs; all I want to do is a programmatic login in servlet A, which somehow stays stuck to the session such that when the user then visits protected servlet B, they're already logged in with the identity established in A. I have the logincontext part of it worked out, and the login() call succeeds, but it doesn't appear to get stored to the session (the next time I go to B, my form-based authenticator gets called rather than just passing through with the identity I built earlier).
I've seen reference to putting the constructed Subject into the httpsession, but no details. Does this work for my scenario? If so, what session key should I store it on?