5 Replies Latest reply on Sep 3, 2002 9:08 PM by zx44093

Login module with session bean that needs authentication

stoffe May 22, 2002 12:28 PM

Hi!

I have a server login module that uses a session bean to validate usernames and passwords.
This works fine!
The problem occurs when I add the session been to a security domain then the login module has to authenticate itself when it is tying to create the bean since it's in a security domain.

I guess that the login modules principal and credential can be stored in the auth.conf file but how do I set it because right now when I'm calling create the login module is called again but with the username and password set to null (the session bean and the initial request are both under the same security domain so it might be a little bit confusing).

I probably could allow to create the bean outside of a security domain but then anyone can read usernames and passwords.

Is a little bit of a chicken and egg problem.
But the login module should act as a client as well.
Or am I missing something?

Thanks, Kristoffer

1. Re: Login module with session bean that needs authentication

stoffe May 22, 2002 12:41 PM (in response to stoffe)

Maybe I neat to clarify what the intention is? :)
There is a secure web that requires basic authentication to access. The security domain is X.

There is a serve login module that is responsible to verify that the user trying to access the web has the right role.

In the process of verification the login module uses a session bean that is also in the security domain X to fetch the true username and password and try to match it with the one supplied by the basic auhentication of the web.

Now the login module is called by it self implicitly when it is trying to create the session bean.
In that stage both username and password are null.
Actions
2. Re: Login module with session bean that needs authentication

drcharris May 22, 2002 1:21 PM (in response to stoffe)

The only way round this would be to put the session bean in a different security domain. Is there a reason this can't be done?
Actions
3. Re: Login module with session bean that needs authentication

cumulus May 24, 2002 1:54 AM (in response to stoffe)

Hi,

I read your question and wanted to ask, are you trying to use the JAAS-based security model provided by JBoss, or are you replacing the JBoss security model with one of your own?

If you are trying to use the JBoss security model, then any method call to an EJB container gets a security check before it is allowed inside the container. So, if a method call is not allowed inside the EJB container without security clearance, then how could a session bean be used for security purposes when it is on the other side of the security wall (inside the EJB container)?

If I am misunderstanding your situation please let me know.

For plain-vanilla JBoss server security, you would write a LoginModule based on the JBoss classes, and then declare it in the server-side auth.conf, along with any necessary options. JBoss will load and use the class as needed.
Actions
4. Re: Login module with session bean that needs authentication

mkotsbak Sep 3, 2002 10:26 AM (in response to stoffe)

Anyone having a solution to this? It annoys me much, so I am considering writing a patch to jboss, that gives the loginmodule a role/user.
Actions
5. Re: Login module with session bean that needs authentication

zx44093 Sep 3, 2002 9:08 PM (in response to stoffe)

You can put all of them in the same security domain. ALl you need to do is declare not to check the security for the autnentication session bean using tag in your ejb-jar.xml file.
Actions

Go to original post