1 Reply Latest reply on Oct 12, 2001 4:48 AM by ko5tik

More help needed

mmills Oct 8, 2001 9:07 AM

I seem to have figured out basic authentication.

I can request a "secure" page and get a login box. It even authenticates against a database. The page I request then makes calls to an EJB (see User code below) which work.

The problem comes when I try to make a link from that page to a new one that uses a different EJB (see RoleManager below). The calls now fail with InsufficientPermissions because the principal is null.

How do I keep the principal available so all calls to EJBs work?

My environment is:
jboss 2.4.1/tomcat 3.2.3

auth.conf
---------
staffapp {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/Staff"
principalsQuery="select password from systemusers where userid=?"
rolesQuery="select r.description, r.rolegroup from role r, userroles ur where ur.userid=? and ur.roleid = r.id"
unauthenticatedIdentity=nobody
;
};

client-login {
org.jboss.security.ClientLoginModule required
multi-threaded=true
password-stacking=tryFirstPass
;
};

web.xml
-------
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Staffapp</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<url-pattern>/htdocs/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
<role-name>Echo</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>staffapp</realm-name>
</login-config>

jboss-web.xml
-------------
<jboss-web>
<security-domain>java:/jaas/staffapp</security-domain>
</jboss-web>

User-ejb-jar.xml
----------------
<ejb-jar>
<enterprise-beans>

<ejb-name>User</ejb-name>

</enterprise-beans>

<assembly-descriptor>
<method-permission>

<ejb-name>User</ejb-name>
<method-name>*</method-name>

</method-permission>
</assembly-descriptor>
</ejb-jar>

User-jboss.xml

<security-domain>java:/jaas/staffapp</security-domain>

<enterprise-beans>

<ejb-name>User</ejb-name>
<jndi-name>framework/User</jndi-name>

</enterprise-beans>

RoleManager-ejb-jar.xml
-----------------------
<ejb-jar>
<enterprise-beans>

<ejb-name>RoleManager</ejb-name>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>

</enterprise-beans>

<assembly-descriptor>
<method-permission>

<ejb-name>RoleManager</ejb-name>
<method-name>*</method-name>

</method-permission>
</assembly-descriptor>
</ejb-jar>

RoleManager-jboss.xml
---------------------

<security-domain>java:/jaas/staffapp</security-domain>

<enterprise-beans>

<ejb-name>RoleManager</ejb-name>
<jndi-name>framework/RoleManager</jndi-name>

</enterprise-beans>

1. Just a question

ko5tik Oct 12, 2001 4:48 AM (in response to mmills)

Is the second page also under the same security constraint?

Just a littlke explanation how it works
( security )

If you request a page which requires some authentication
( under securoty constraint )
An interceptor ( JbossSecurityMgrRealm ) fires and performs authentication ( password checking ) and
authorization ( assigment of roles ). Then it's checked that user has role required to access web resource.

Then "principal ( username ) and "credential" ( password ) are stored in

are store in SecurityAssociation object,
and then used by EJB invocations.

After request is processe, this interceptor removes them.

So, valid principal & credential data are there if
the page reqires authenticated access.

In the meanwhile ( when you request unsecured pages )
your username & password are stored on session in j_username & j_password

You also have to keep in mind, that principal & credential are also checked on server side - completely independet from frontend stuff. They may even use different login modules.
Actions