5 Replies Latest reply on Mar 18, 2003 12:02 PM by aweissman

    Undesirable Authentication "Feature"

    aweissman
    aweissman Mar 14, 2003 10:45 AM

      I have configured a simple case with JBoss in one JVM and Tomcat in another. JBoss is configured to use the LDAPLoginModule and is using this quite correctly, as proven by a small test client. JBoss has one SessionBean deployed in it which has method level permissions set on it.

      Tomcat is correctly configured to use my auth.conf and the ClientLoginModule, and uses a callbackhandler that I wrote to authenticate. I have two pages in tomcat: login.jsp (performs login using the clientLoginModule) and invoke.jsp (does a JNDI lookup and invokes a method on an EJB inside JBoss). If I try to access invoke.jsp without logging in, I get a securityexception (this is good) which goes away if I hit login.jsp first (this is also good). However, if I go to login.jsp and a DIFFERENT client on a DIFFERENT machine goes to invoke.jsp, that client is authenticated, and can invoke the EJB method.

      Is there a way around this? I HOPE so!

      • 3806 Views
      • Tags:
        • 1. Re: Undesirable Authentication "Feature"
          petertje Mar 14, 2003 11:24 AM (in response to aweissman)

          This is caused by the fact the ClientLoginModule associates security context with the current thread, and tomcat using thread pooling for serving requests. Other symptoms are that the client that is logged in, sometimes appears not to be logged in either (because it is served by a different thread).
          The solution is to do jaas login for each request. More explanation and code samples can be found at http://www.luminis.nl/publications/websecurity.html

          Hth
          Peter.

            • Actions
          • 2. Re: Undesirable Authentication "Feature"
            aweissman
            aweissman Mar 14, 2003 11:27 AM (in response to aweissman)

            Thanks Peter for all the help and explanation.

              • Actions
            • 3. Re: Undesirable Authentication "Feature"
              aweissman
              aweissman Mar 18, 2003 11:35 AM (in response to aweissman)

              hey Peter - I assume you got all this working...
              the only part I couldn't get is to have the web tier perform a JAAS login. right now, any credentials will get you in, even though only the correct credentials will allow you invoke ejb methods.

              i can't find any correlation between the JAAS application specified in SecurityContextFilter, the one specified in auth.conf, and the one in login-config.xml in JBoss. Do you have any insight on how this should work?

              Thanks in advance,
              Alan

                • Actions
              • 4. Re: Undesirable Authentication "Feature"
                aweissman
                aweissman Mar 18, 2003 11:49 AM (in response to aweissman)

                hey Peter - I assume you got all this working...
                the only part I couldn't get is to have the web tier perform a JAAS login. right now, any credentials will get you in, even though only the correct credentials will allow you invoke ejb methods.

                i can't find any correlation between the JAAS application specified in SecurityContextFilter, the one specified in auth.conf, and the one in login-config.xml in JBoss. Do you have any insight on how this should work?

                Thanks in advance,
                Alan

                  • Actions
                • 5. Re: Undesirable Authentication "Feature"
                  aweissman
                  aweissman Mar 18, 2003 12:02 PM (in response to aweissman)

                  forgot to mention....
                  i think that the web's initial jaas login is not really being performed because nowhere do i specify where the jboss server is that it needs to perform the login on!

                    • Actions