4 Replies Latest reply on Nov 7, 2002 10:51 AM by pdhar

    ClientLoginServlet JBoss example - does it work ?

    pdhar

      Hi,
      I am using jboss-3.0.2_tomcat-4.0.4. and implemented a
      unsecured servlet which will call a secured Stateless Session Bean. Also I have the similar secured servlet using JAAS Authentication-FormLogin calling the EJB. The secured servlet using the FormLogin can call the secured EJB and works while the unsecured servlet using LoginContext.login() is not able to execute the session bean methods.
      I am using the ClientLoginServlet.java example from the Jboss source code.

      private LoginContext doLogin(String username, String password)
      throws LoginException {
      UsernamePasswordHandler handler =
      new UsernamePasswordHandler(username, password.toCharArray());
      LoginContext lc = new LoginContext("IDSCONF-REALM", handler);
      lc.login();
      return lc;
      }

      UNSECURED -
      try {
      lc = doLogin("admin", "admin22");
      log.info("Login Successful");
      InstanceConfigSvcDelegate ic = new InstanceConfigSvcDelegate(); // calls the remote interface using delegate
      String[] ins = ic.getAllInstances();
      for (int i = 0; i < ins.length; i++) {
      out.println(ins + "");
      }
      } catch (LoginException e) {
      e.printStackTrace(out);
      } catch (InstanceConfigException e) {
      e.printStackTrace(out);
      } finally {
      if (lc != null) {
      try {
      lc.logout();
      } catch (LoginException e) {
      }
      }
      }

      The problem I am getting is shown below although I have users.properties/roles.properties in WEB-INF/classes directory which work well with a secured servlet calling a secured session bean.

      22:36:13,947 INFO [idsconfServlet] Login Successful
      22:36:13,968 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: Properties file users.properties not found
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadProperties(UsersRolesLoginModule.java:212)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:193)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:95)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)

      I would like to know if anyone has come across this situation and know any workarounds.

      Thanks,

      Pranab

        • 1. Re: ClientLoginServlet JBoss example - does it work ?
          pdhar

          The Thread Context ClassLoader of the Servlet is able to load the users/roles.properties files.I believe that the when there is a different classLoader which loads EJB's and it apparently doesn't have any clue about the webapp/servlet classloader classpath if the Authentication is done from an unsecured servlet instead of using the Authentication mechanism of the Servlet Container and Realm Mapping between Servlet and EJB Container.

          • 2. Re: ClientLoginServlet JBoss example - does it work ?
            gwoodward

            Hi:

            So did you get this to work? I am experiencing the same problem. I am logging in explicitly within a servlet, but then subsequent calls to my EJB methods throw authentication exceptions.

            Thanks,
            Greg

            • 3. Re: ClientLoginServlet JBoss example - does it work ?
              pdhar

              I have not been able to get it to work yet.However I have come across more info on the "ClientLoginModule" which is suppossed to set the principal/credential with the subject. The JBoss Documentation says
              "The ClientLoginModule is an implementation of LoginModule for use by JBoss clients for
              the establishment of the caller identity and credentials. This simply sets the
              org.jboss.security.SecurityAssociation.principal to the value of the NameCallback filled in by
              the CallbackHandler, and the org.jboss.security.SecurityAssociation.credential to the value
              of the PasswordCallback filled in by the CallbackHandler. This is the only supported
              mechanism for a client to establish the current thread's caller. Both stand-alone client
              applications and server environments, acting as JBoss EJB clients where the security
              environment has not been configured to use JBossSX transparently, need to use the
              ClientLoginModule. Of course, you could always set the
              org.jboss.security.SecurityAssociation information directly, but this is considered an internal
              API that is subject to change without notice."

              So after adding the Module in the Security-Domain/Realm in login-config.xml
              <application-policy name = "IDSCONF-REALM">

              <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
              flag = "required" >
              <module-option name = "unauthenticatedIdentity">guest</module-option>
              </login-module>
              <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
              </login-module>

              </application-policy>



              I am getting the following exceptions
              Type :com.ids.delegates.InstanceConfigException: java.rmi.ServerException: EJBException:; nested exception is: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=admin Message :java.rmi.ServerException: EJBException:; nested exception is: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=admin

              The only difference from the previous setup where ClientLoginModule was not used is that my prinicipal=null is not happening any more but the SecurityAssociation is not happening.
              I have to look into the Jboss code to see whats going on.

              • 4. Re: ClientLoginServlet JBoss example - does it work ?
                pdhar

                Some details about what actually came in the log in the above scenario.
                2002-11-06 16:44:56,643 ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] Failed to load users/passwords/role files
                java.io.IOException: Properties file users.properties not found
                at org.jboss.security.auth.spi.UsersRolesLoginModule.loadProperties(UsersRolesLoginModule.java:212)
                at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:193)
                at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:95)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                It is the UsersRolesLogin Module which croaked.The scenario is quite complicated.
                1. I used the client to authenticate against the "client-login" domain/realm which uses the ClientLoginModule to pass the Principal and the Credential and Associate them with the Subject.That is where I got the "Principal=admin" setup since I used the "client-login" realm.
                2. The EJB's are secured against "IDSCONF-REALM" Domain/Realm and it expects the client to authenticate in that Realm. So using "client-login" realm for authentication is not an option.
                3.Now I added ClientLoginModule with UsersRolesLoginModule in the IDSCONF-REALM definition and set both of them required.The first one being the UsersRolesLoginModule and the Second one is the ClientLoginModule with firstpass set.
                4. Since the first module's classloader is stupid that it can't find the users.properties/roles.properties I wonder which classloader is being used.At this moment I don't know when/where the class loader switch between catalina and Jboss happens because I am sure the JBoss classloader has no clue about the property file existing in WEB-INF/classes or it is not delegating some classloading responsibilities to the Catalina Classloader.This does not happen when the Catalina delegates authentication to JbossSX modules internally in a secured environment.