10 Replies Latest reply on Sep 9, 2002 5:58 PM by jmejia424

    Help please : securing simple Ejb problem

    cdkcdk

      Hello,

      I'm trying to secure a simple EJB, called Demo.jar, but it won't work ! Everytime I call my client, I get the following error :

      client:
      [java] java.rmi.ServerException: RemoteException occurred in server thread;
      nested exception is:
      [java] java.rmi.RemoteException: checkSecurityAssociation; nested excep
      tion is:
      [java] java.lang.SecurityException: Authentication exception, principal
      =null
      [java] java.rmi.RemoteException: checkSecurityAssociation; nested exception
      is:
      [java] java.lang.SecurityException: Authentication exception, principal
      =null
      [java] java.lang.SecurityException: Authentication exception, principal=nul
      l
      [java] at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServe
      r(StreamRemoteCall.java:245)
      [java] at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCa
      ll.java:220)
      [java] at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:122)
      [java] at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unkn
      own Source)
      [java] at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(
      JRMPInvokerProxy.java:128)
      [java] at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterce
      ptor.java:108)
      [java] at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInte
      rceptor.java:73)
      [java] at org.jboss.proxy.SecurityInterceptor.invoke(SecurityIntercepto
      r.java:76)
      [java] at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.ja
      va:185)
      [java] at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:7
      6)
      [java] at $Proxy0.create(Unknown Source)
      [java] at DemoClient.main(Unknown Source)
      [java] Exception in thread "main"
      [java] Java Result: 1

      I join my jar file.

      I'm stuck with that problem so any help is welcome.

      Thanks,
      Obiwan (which the Force has seemingly left...)

        • 1. Re: Help please : securing simple Ejb problem
          cdkcdk

          Oops I forgot the attachment !

          • 2. Re: Help please : securing simple Ejb problem
            cdkcdk

            Nobody seems to like my question. If it is too stupid for you, sorry, I'm new to JBossSX and JAAS, so just tell me where I can find docs, but please don't let me stuck here...


            ANY help or hints or example are welcome,
            Ooobi

            • 3. Re: Help please : securing simple Ejb problem
              tool

              Hey, no question is stupid. It just takes a while to get an answer sometimes. If you're like me you never get an answer to the questions you post. Its just the way it is. Anyways, I took a look at demo.jar and can't find anything majorly wrong with it. How about posting the .ear (and answering the question below) and maybe I can deploy it and try to help a bit?

              What version of JBoss are you running? If it is 3.0.0 or 3.0.1, you have to use the login-config.xml file in place of the auth.conf file.

              Oh and if you are using JBoss 2.4.x and are still looking for examples.....try the article by Scott Stark at http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html
              Some of the example code is wrong (at least it wouldn't work for me) so I have included the final working version of that example, including the ant build file and the jars, wars and ears.

              Hope some of this helps and it isn't all mindless ramblings...
              tool

              • 4. Re: Help please : securing simple Ejb problem
                cdkcdk

                Yeah I already tried Mr Stark's examples and it works fine.

                I'm working with JBoss 3.0.0. I didn't try to use login-config.xml yet. I'm gonna try it.

                One question : is building an ear file required or optional? I mean, isn't it possible to run my client without that ? Without security it works fine.

                Thanks for your help,
                Obiwan

                • 5. Re: Help please : securing simple Ejb problem
                  tool

                  What I know about the .ear situation is this:
                  If you are deploying anything web-based you need to use a .war file, and you are required to place the .war in an .ear file and use an application.xml descriptor file.
                  However, if you aren't using anything like that, then using an .ear file is optional.

                  If you need an example of the login-config setup, I posted a .zip file in the "FORM login doesn't work properly, help!!" thread in this forum.

                  Hope the login-config.xml thing works for you.
                  tool

                  • 6. Re: Help please : securing simple Ejb problem
                    cdkcdk

                    All right. I'll have a look at your post and I'll tell you...

                    Thanks a lot,
                    May the force be with you,
                    Obiwan

                    • 7. Re: Help please : securing simple Ejb problem
                      cdkcdk

                      Well, I tried to replace my auth.conf file by a simplified copy of your example, but it still doesn't work. I still get the same error : principal=null.

                      • 8. Re: Help please : securing simple Ejb problem
                        hurzeler

                        Hi there,

                        I had the exact same error 'principal=null' coming up for days now and I was always looking on the jboss side for a fix. How wrong I was!

                        One has to make sure that the client code already had a principal set before you call anything on the serverside.

                        For example if you are calling your ejb method form a servlet, the servlet needs to be decleared in a <security-constraint> element in web.xml otherwise it will be executed with principal=null and hence your ejb will be called with principal=null. This all sound obvious, but if you forget it, it just won't work.

                        web.xml

                        <servlet-name>SecureServlet</servlet-name>
                        <display-name>Secure Servlet</display-name>
                        <servlet-class>com.timeTag.web.SecureServlet</servlet-class>



                        <servlet-mapping>
                        <servlet-name>SecureServlet</servlet-name>
                        <url-pattern>/servlet/SecureServlet</url-pattern>
                        </servlet-mapping>

                        <security-constraint>
                        <web-resource-collection>
                        <web-resource-name>Secure Content</web-resource-name>
                        Security Constraint
                        <url-pattern>/servlet/*</url-pattern>
                        </web-resource-collection>

                        <auth-constraint>
                        <role-name>Administrator</role-name>
                        </auth-constraint>

                        With other clients it is the same. You need to authenticate first and propagate your principal.

                        I hope this helps.

                        Bernie

                        • 9. Re: Help please : securing simple Ejb problem
                          damomurf

                          Hurzeler,
                          In your last comment you say:
                          "With other clients it is the same. You need to authenticate first and propagate your principal."

                          How exactly is it that you propagate the principal to JBoss, once you've authorised it in Tomcat? (I'm referring to the situation where Tomcat and JBoss are running in separate VMs)

                          Thanks,
                          Damian.

                          • 10. Re: Help please : securing simple Ejb problem
                            jmejia424

                            Yes! How would you authenticated for one or two method calls and propogate that authentication. I have a STRUTS Plugin that when initialized calls a Session Bean and then the Session Bean calls and Entity Bean. Both the Session and Entity are secure. However, the Plugin works as a service and shouldn't have to be authenticated as anyone.

                            Any ideas? Would love an example if you have it.