> The problem I want to discuss is how a Client GUI app
> can authenticate a user with JBoss using JAAS without
> invoking an EJB. The reason is that a GUI
> application should not allow users access to the GUI
> until they have been successfully authenticated with
> the server. I have done tons of Google searches and
> there does not seem to be any thing relating to this
> topic. Does any one have a good answer?

The easiest way is to invoke an EJB whose sole purpose is to check your login. It does this implicitly if the bean it protected, it doesn't need to do any business code; you can just have a protected ping so to speak. When the user has entered username and password, call that EJB, if no exception occurs enter your application, if a security exception occurs then authorization has failed.

> Any more thoughts?

Why do you want to use JBoss at all? It seems a bit like overkill to run a J2EE server just to provide authentication for your GUI application.

If you want to run using a proper authentication protocol, then look at the SRP login module.

What are you actually trying to secure, and how important is it? If it's only access to the application then that will be easily hackable anyway.

Also, a client shouldn't be given any more reasons for a failed logon, other than that it failed, so I dont' see why you want to propagate more information.

Luke.

Perhaps your no-op ejb method would seem like less of a hack to you if you named it something like login() .. besides I believe you will need to get something back from JBoss that tells you whether the user is logged in successfully or not.

Well, I don't think it's a hack either.

You can name your bean something like Session, and make it into a stateful session bean. That way, a single instance of the bean on the app server corresponds to a single instance of the UI, and their lifetimes are pretty much locked together. Later on, you might want to add further functionality to the Session, e.g. returning the list of all roles granted to the currently logged in user on the app server. You might manage a GUI's ACLs with the help of information served through such Session bean.

Also (I'm not 100% sure about this...), I don't think you even need the no-op method. The EJBCreate (home interface's create()) method cannot be invoked without adequate permission, so just creating the bean will cause the authentication/authorization to go through.

> But what is not currently provided "out of the box" is the ability to authenticate a user with the server
>(JBoss) from the client without going invoking a no-op secured EJB.

Yes there is. Like I said before - use the SRP login module.

I have the same problem.

Does it not say in the JBoss book that there is container managed as well as Bean managed security?

I tried to migrate a WAR file I was using under Apache/Tomcat to JBoss (2.4.4/Tomcat4.0.1 bundle.)

The WAR unpacks fine and the JSP logon page compiles OK. The servlets also start up OK. (The EmbeddedCatalinaServiceSX even says it has 'configured an authenticator of type FORM') which is in line with what's specified in web.xml/logon JSP for the webapp. Now shouldn't the container take over somehow? How do I tell it where/what to authenticate against?

When I log on however, I am 'allowed in' to the application regardless of what user/password (or nothing) I enter. Furthermore, even when I put in a user that is valid according to the authenticator module I set up in auth.conf, it doesn't make any difference, the application still thinks I do not have any roles. This suggests to me that my webapp does not know or is not being told about the authenticator I have set up in auth.conf.

I tried setting up a <security-domain></security-domain> in standardjboss.xml but that didn't do anything either.

Any ideas?

Regards,
Daniel

Does the method described in http://main.jboss.org/thread.jsp?forum=49&thread=9264 help answer the original question?

Roger

I can now log on to the Web app using the FORM based authentication. (I added a jboss.xml with a <security-domani></security-domain> pair and an authenticator in the auth.conf file.

I can now not seem to keep a valid HTTP session alive. I can log on and bring up my applet but as soon as I try to call the servlet again, it reports that the session is invalid. The code I am using is (req is the HTTP request sent from my Applet:

if (! req.isRequestedSessionIdValid() || req.getRemoteUser() == null || req.getSession(false) == null)
{
//send session status back or redirect or whatever.
...
}

If you're calling it from an applet then you'll presumably have to handle the session IDs yourself. How are you doing this (or are you)?

Luke.

When the applet makes a call to the servlet using an HTTP message, the servlet before doing anything else checks the validity of the session as described.

If the session is invalid (e.g. timeout due to idleness), the servlet packages up an object array and sends it back as follows:
private void redirectToLogin(HttpServletResponse res, int reason, String message)
throws IOException
{
// Return an object requesting that the BaseApplet redirects to the login page.
//
Object[] messages = {message};

Object[] obj = new Object[3];
obj[0] = new Integer(reason);
obj[1] = messages;
obj[2] = null;

// Write the object back.
//
ObjectOutputStream out = new ObjectOutputStream(res.getOutputStream());
out.writeObject(obj);
out.flush();
out.close();
}

The applet has a standard handling method (overloaded method callServlet()) for the returned object which checks that the session is still valid then returns the object to whatever called it in turn, note the use of the Constants class. This holds (as the name suggests) a bunch of global constants which are really just intetegers in general. INVALID_SESSION is just a number:
public Object callServlet(Properties props, String servletName)
{
URL url = null;
try
{
url = new URL(this.get("code_base") + servletName);
}
catch (Exception e)
{
e.printStackTrace();
}

//This method as you can see is overloaded
//When it gets called here, it just sends an HTTP
//message and gets the returned object (hopefully
//useful data) back.
Object obj = callServlet(props, url);

// See if the session has expired.
// Static data requests do not return session status so an exception will be thrown. Ignore it.
//
try
{
if (((Integer) ((Object[]) obj)[0]).intValue() == Constants.INVALID_SESSION)
{
// Session is old. Redirect back to a page that will trigger the login process.
//
if (Constants.DEBUGGING)
{
System.out.println("Session has expired.");
}

sendError("Your login has timed out. The current action has been cancelled.");
url = new URL(this.get("code_base") + "html/");
((AppletContext) this.get("applet context")).showDocument(url);
}
else if (((Integer) ((Object[]) obj)[0]).intValue() == Constants.INVALID_VERSION)
{
sendError("This is an old version. Please quit the browser to reload a new version");
}
}
catch (Exception ignore) {}

return obj; //to whatever function asked for it. (It will contain useful data if it didn't hit the invalid session processing.)
}

The handling works but the problem is that after login, the session seems to immediately be invalid. The very first call made by my Applet is 'rejected' because the session has become invalid (i.e. the handling in the Servlet decides this.)

Daniel