11 Replies Latest reply on Sep 19, 2002 1:45 PM by matthias

JBoss3.0 Authentication-Problem with Client

matthias Sep 13, 2002 8:50 AM

Hi,

i have some Experiences with JBoss 2.4. Now i do the first tests
with JBoss 3.0. I want to login to the Server from a client-Programm.

To do this, i have expanded the test.client.TestClient.java - example
with the login-Algorithm from the JBoss2.4 - example:
(docs/jaas/howto/SessionClient.java)

--------------SessionClient------------------------------------------------------------
String name = args[0];
char[] password = args[1].toCharArray();
String example = args[2];
System.out.println("+++ Running SessionClient with username="+name+", password="+args[1]+", example="+example);
try
{
AppCallbackHandler handler = new AppCallbackHandler(name, password);
LoginContext lc = new LoginContext("TestClient", handler);
System.out.println("Created LoginContext");
lc.login();
}
catch (LoginException le)
{
System.out.println("Login failed");
le.printStackTrace();
}
--------------SessionClient------------------------------------------------------------

When i start this Program, i receive the Exception-Message:

"Unable to locate a login configuration"

at the line:

LoginContext lc = new LoginContext("TestClient", handler);

I have studied the Security-Chapter of the Quick-Start-Guide, but
i don´t find Information to solve my Problem.

My Questions are:

- Has the Login-Algorithm changed in JBoss 3.0 ?
- do i have to change something in the file "login-config.xml" ?

I would be glad to get help on my Problem.

Regards Matthias Lakämper

1. Re: JBoss3.0 Authentication-Problem with Client

matthias Sep 13, 2002 9:56 AM (in response to matthias)

The problem is solved, i have added a Property to the start-Script.

-Djava.security.auth.login.config=file://C:/JBoss/jboss-3.0.0_tomcat-4.0.3/client/auth.conf

regards Matthias Lakämper
Actions
2. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 17, 2002 12:28 PM (in response to matthias)

Hi,

I've read the example in jboss\docs\jaas\howto and I was wondering how the method "Principal user = request.getUserPrincipal();" is able to retrieve the user' parameters (login and password). Should these be parameters of the servlet?

Thanks for help,

Nathalie
Actions
3. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 17, 2002 12:48 PM (in response to matthias)

Hi,

This method request.getUserPrincipal() is used in SecureEJBServlet.java.

Thanks for help,

Nathalie
Actions
4. Re: JBoss3.0 Authentication-Problem with Client

matthias Sep 17, 2002 1:44 PM (in response to matthias)

Hi,

in the moment, my Test-Case uses a client-Application,
not a servlet.

To see the actual user for example
in TestSessionBean.java,
i have added the lines

Principal p = mContext.getCallerPrincipal();
System.out.println("callerPrincipal=" + p );

in a public function.

Is that your question ?

Regards Matthias
Actions
5. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 18, 2002 8:36 AM (in response to matthias)

Hi,

So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?

In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

Thanks,
Nathalie.
Actions
6. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 18, 2002 8:37 AM (in response to matthias)

Hi,

So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?

In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

Thanks,
Nathalie.
Actions
7. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 18, 2002 8:41 AM (in response to matthias)

Hi,

So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?

In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

Thanks,
Nathalie.
Actions
8. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 18, 2002 8:48 AM (in response to matthias)

Hi,

So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?

In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

Thanks,
Nathalie.
Actions
9. Re: JBoss3.0 Authentication-Problem with Client

bakerloo Sep 18, 2002 9:09 AM (in response to matthias)

Hi,

So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?

In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

Thanks,
Nathalie.
Actions
10. Re: JBoss3.0 Authentication-Problem with Client

matthias Sep 19, 2002 12:56 PM (in response to matthias)

Hi Nathalie,

- So, your client application checks if the password is correct for the given username
- (via the DatabaseServerLoginModule that checks in the Database if data are correct)
- and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the
- right (via the user's role), to call the Session Bean method.
- Is that correct?

no it´s not exactly correct, the Password is checked from Jboss.

Iv´e done the following changes to activate security:

Add a new application-Policy

---server\default\conf\login-config.xml------------
<application-policy name="sample-domain">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">sample.users</module-option>
<module-option name="rolesProperties">sample.roles</module-option>
</login-module>

</application-policy>

---server\default\conf\login-config.xml------------

-Add a Security-Domain in Jboss.xml
---jboss.xml---------------------------

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE jboss (View Source for full doctype...)>

<security-domain>java:/jaas/sample-domain</security-domain> 
<enterprise-beans>

<ejb-name>test/TestBMPEntity</ejb-name>
<jndi-name>ejb/test/TestBMPEntity</jndi-name>

<ejb-name>test/TestEntity</ejb-name>
.
.
.

---jboss.xml---------------------------

Add the following doclet to TestSessionBean.java
---TestSessionBean.java
* @ejb:security-role-ref role-name="EchoCaller"
* role-link="Echo"
*
* @ejb:permission role-name="EchoCaller"
---TestSessionBean.java

Regards Matthias
Actions
11. Re: JBoss3.0 Authentication-Problem with Client

matthias Sep 19, 2002 1:45 PM (in response to matthias)

- So, your client application checks if the password is correct for the given username
- (via the DatabaseServerLoginModule that checks in the Database if data are correct)
- and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the
- right (via the user's role), to call the Session Bean method.
- Is that correct?

no it´s not exactly correct, the Password is checked from Jboss.

Iv´e done the following changes to activate security:

Add a new application-Policy

---server\default\conf\login-config.xml------------
<application-policy name="sample-domain">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">sample.users</module-option>
<module-option name="rolesProperties">sample.roles</module-option>
</login-module>

</application-policy>

---server\default\conf\login-config.xml------------

-Add a Security-Domain in Jboss.xml
---jboss.xml---------------------------

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE jboss (View Source for full doctype...)>

<security-domain>java:/jaas/sample-domain</security-domain> 
<enterprise-beans>

<ejb-name>test/TestBMPEntity</ejb-name>
<jndi-name>ejb/test/TestBMPEntity</jndi-name>

<ejb-name>test/TestEntity</ejb-name>
.
.
.

---jboss.xml---------------------------

Add the following doclet to TestSessionBean.java
---TestSessionBean.java
* @ejb:security-role-ref role-name="EchoCaller"
* role-link="Echo"
*
* @ejb:permission role-name="EchoCaller"
---TestSessionBean.java

Regards Matthias
Actions

Go to original post