-
1. Re: JBoss3.0 Authentication-Problem with Client
matthias Sep 13, 2002 9:56 AM (in response to matthias)The problem is solved, i have added a Property to the start-Script.
-Djava.security.auth.login.config=file://C:/JBoss/jboss-3.0.0_tomcat-4.0.3/client/auth.conf
regards Matthias Lakämper -
2. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 17, 2002 12:28 PM (in response to matthias)Hi,
I've read the example in jboss\docs\jaas\howto and I was wondering how the method "Principal user = request.getUserPrincipal();" is able to retrieve the user' parameters (login and password). Should these be parameters of the servlet?
Thanks for help,
Nathalie -
3. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 17, 2002 12:48 PM (in response to matthias)Hi,
This method request.getUserPrincipal() is used in SecureEJBServlet.java.
Thanks for help,
Nathalie -
4. Re: JBoss3.0 Authentication-Problem with Client
matthias Sep 17, 2002 1:44 PM (in response to matthias)Hi,
in the moment, my Test-Case uses a client-Application,
not a servlet.
To see the actual user for example
in TestSessionBean.java,
i have added the lines
Principal p = mContext.getCallerPrincipal();
System.out.println("callerPrincipal=" + p );
in a public function.
Is that your question ?
Regards Matthias -
5. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 18, 2002 8:36 AM (in response to matthias)Hi,
So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?
In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.
Thanks,
Nathalie. -
6. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 18, 2002 8:37 AM (in response to matthias)Hi,
So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?
In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.
Thanks,
Nathalie. -
7. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 18, 2002 8:41 AM (in response to matthias)Hi,
So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?
In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.
Thanks,
Nathalie. -
8. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 18, 2002 8:48 AM (in response to matthias)Hi,
So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?
In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.
Thanks,
Nathalie. -
9. Re: JBoss3.0 Authentication-Problem with Client
bakerloo Sep 18, 2002 9:09 AM (in response to matthias)Hi,
So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
Is that correct?
In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.
Thanks,
Nathalie. -
10. Re: JBoss3.0 Authentication-Problem with Client
matthias Sep 19, 2002 12:56 PM (in response to matthias)Hi Nathalie,
- So, your client application checks if the password is correct for the given username
- (via the DatabaseServerLoginModule that checks in the Database if data are correct)
- and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the
- right (via the user's role), to call the Session Bean method.
- Is that correct?
no it´s not exactly correct, the Password is checked from Jboss.
Iv´e done the following changes to activate security:
Add a new application-Policy
---server\default\conf\login-config.xml------------
<application-policy name="sample-domain">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">sample.users</module-option>
<module-option name="rolesProperties">sample.roles</module-option>
</login-module>
</application-policy>
---server\default\conf\login-config.xml------------
-Add a Security-Domain in Jboss.xml
---jboss.xml---------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE jboss (View Source for full doctype...)>
<security-domain>java:/jaas/sample-domain</security-domain> <!-- this line is important !!! -->
<enterprise-beans>
<ejb-name>test/TestBMPEntity</ejb-name>
<jndi-name>ejb/test/TestBMPEntity</jndi-name>
<ejb-name>test/TestEntity</ejb-name>
.
.
.
---jboss.xml---------------------------
Add the following doclet to TestSessionBean.java
---TestSessionBean.java
* @ejb:security-role-ref role-name="EchoCaller"
* role-link="Echo"
*
* @ejb:permission role-name="EchoCaller"
---TestSessionBean.java
Regards Matthias -
11. Re: JBoss3.0 Authentication-Problem with Client
matthias Sep 19, 2002 1:45 PM (in response to matthias)- So, your client application checks if the password is correct for the given username
- (via the DatabaseServerLoginModule that checks in the Database if data are correct)
- and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the
- right (via the user's role), to call the Session Bean method.
- Is that correct?
no it´s not exactly correct, the Password is checked from Jboss.
Iv´e done the following changes to activate security:
Add a new application-Policy
---server\default\conf\login-config.xml------------
<application-policy name="sample-domain">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">sample.users</module-option>
<module-option name="rolesProperties">sample.roles</module-option>
</login-module>
</application-policy>
---server\default\conf\login-config.xml------------
-Add a Security-Domain in Jboss.xml
---jboss.xml---------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE jboss (View Source for full doctype...)>
<security-domain>java:/jaas/sample-domain</security-domain> <!-- this line is important !!! -->
<enterprise-beans>
<ejb-name>test/TestBMPEntity</ejb-name>
<jndi-name>ejb/test/TestBMPEntity</jndi-name>
<ejb-name>test/TestEntity</ejb-name>
.
.
.
---jboss.xml---------------------------
Add the following doclet to TestSessionBean.java
---TestSessionBean.java
* @ejb:security-role-ref role-name="EchoCaller"
* role-link="Echo"
*
* @ejb:permission role-name="EchoCaller"
---TestSessionBean.java
Regards Matthias