4 Replies Latest reply on Sep 21, 2004 5:19 AM by ivlcic

    HTTP invoker and BASIC authentication

    ejain

      Is there any way to set a username and password when using the HTTP invoker? On the server side, I can of course set any restrictions in the web.xml file, but what to do on the client side?

      java.naming.factory.initial=org.jboss.naming.HttpNamingContextFactory
      java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
      java.naming.provider.url=https://xyz:8443/invoker/JNDIFactory

      context.lookup("something")

      -> javax.naming.NamingException: Failed to retrieve Naming interface. Root exception is java.io.IOException: Server returned HTTP response code: 401 for URL: https://xyz:8443/invoker/JNDIFactory

        • 1. Re: HTTP invoker and BASIC authentication

          Try this:

          
          import org.jboss.security.SecurityAssociation;
          import org.jboss.security.SimplePrincipal;
          import javax.naming.InitialContext;
          import javax.naming.Context;
          import java.util.Properties;
          
          ....
          Properties properties = new Properties();
           properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.HttpNamingContextFactory");
           properties.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
           properties.put(Context.PROVIDER_URL, "http://192.168.0.17:8080/invoker/JNDIFactory");
          
           SecurityAssociation.setCredential(password);
           SecurityAssociation.setPrincipal(new SimplePrincipal(user));
          
           InitialContext ctx = new InitialContext(properties);
          


          put jbossall-client.jar in classpath

          config/login-config.xml
          <application-policy name = "http-invoker">
           <authentication>
           <login-module code = "org.jboss.security.ClientLoginModule"
           flag = "required">
           </login-module>
           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
           flag = "required">
           <module-option name = "unauthenticatedIdentity">guest</module-option>
           <module-option name = "dsJndiName">java:/MySQL-DS</module-option>
           <module-option name = "principalsQuery">SELECT passwd FROM jms_users WHERE name=?</module-option>
           <module-option name = "rolesQuery">SELECT jms_roles.name, 'Roles' FROM users_roles LEFT JOIN jms_roles, jms_users ON jms_roles.id = users_roles
          .id_role AND jms_users.id = users_roles.id_user WHERE jms_users.name=?</module-option>
           </login-module>
           </authentication>
           </application-policy>
          



          deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml
          <security-constraint>
           <web-resource-collection>
           <web-resource-name>HttpInvokers</web-resource-name>
           <description>An example security config that only allows users with the
           role HttpInvoker to access the HTTP invoker servlets
           </description>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           </web-resource-collection>
           <auth-constraint>
           <role-name>topic-manager</role-name>
           </auth-constraint>
           </security-constraint>
           <login-config>
           <auth-method>BASIC</auth-method>
           <realm-name>JBoss HTTP Invoker</realm-name>
           </login-config>
          
           <security-role>
           <role-name>topic-manager</role-name>
           </security-role>
          


          deploy/http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml
          <jboss-web>
           <security-domain>java:/jaas/http-invoker</security-domain>
          </jboss-web>
          


          the thing is that
          org.jboss.naming.HttpNamingContextFactory
          uses
          "org.jboss.invocation.http.interfaces.Util"
          which sets "java.net.Authenticator.setDefault()"
          with "org.jboss.invocation.http.interfaces.Util$SetAuthenticator"
          which uses "org.jboss.security.SecurityAssociationAuthenticator"
          that needs "org.jboss.security.SecurityAssociation"
          that holds Credential and Pricipal object

          But you might have some problems with SSL.

          p.s. I took me 2 days to come up with thise lines (I guess I have IQ problem :-)

          • 2. Re: HTTP invoker and BASIC authentication

            forgot to tell to include in classpath also:

            /opt/jboss/server/default/lib/jbosssx.jar

            • 3. Re: HTTP invoker and BASIC authentication
              starksm64

              You do a JAAS login using the LoginContext class the same as every other client side security usecase in jboss. Direct use of SecurityAssociation is an unsupported usage.

              • 4. Re: HTTP invoker and BASIC authentication

                Thanks and my apologies. Here is the correction of the client side:

                client auth.conf

                client-http-invoker {
                 org.jboss.security.ClientLoginModule required
                 ;
                };
                



                simple login handler class (taken from JAAS sticky/documentation):
                import javax.security.auth.callback.CallbackHandler;
                import javax.security.auth.callback.Callback;
                import javax.security.auth.callback.NameCallback;
                import javax.security.auth.callback.PasswordCallback;
                
                public class LoginHandler implements CallbackHandler{
                
                 private String username;
                 private String password;
                
                 public LoginHandler(String username, String password){
                 this.password = password;
                 this.username = username;
                 }
                
                 public void handle(Callback[] callbacks){
                
                 for(int j = 0; j < callbacks.length; j++){
                
                 if(callbacks[j] instanceof NameCallback){
                 NameCallback nc = (NameCallback)callbacks[j];
                 nc.setName(this.username);
                 }else if(callbacks[j] instanceof PasswordCallback){
                 PasswordCallback pc = (PasswordCallback)callbacks[j];
                 pc.setPassword(this.password.toCharArray());
                 }
                 }
                
                 }
                }
                


                client.java:
                import javax.naming.InitialContext;
                import javax.naming.Context;
                import javax.security.auth.login.LoginContext;
                import java.util.Properties;
                
                ....
                
                 Properties properties = new Properties();
                 properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.HttpNamingContextFactory");
                 properties.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
                 properties.put(Context.PROVIDER_URL, "http://192.168.0.17:8080/invoker/JNDIFactory");
                
                 LoginHandler lh = new LoginHandler(user, password);
                 LoginContext lctx = new LoginContext("client-http-invoker", lh);
                 lctx.login();
                
                 InitialContext ctx = new InitialContext(properties);
                
                ....
                


                client VM parameters:
                -Djava.security.auth.login.config=auth.conf


                The server configuration remains the same;

                I'm also not certain that "org.jboss.security.ClientLoginModule" is the correct one but never the less this works...

                But "jbosssx.jar" is still needed in classpath due to "org.jboss.security.GetPrincipalInfoAction" and it's dependencies

                I'm not shure why this isn't part of "jbossall-client.jar" maybe I did't read the required docs again and the above code is not correct.

                Sorry I did't read the JAAS sticky/documentation due to a limited time frame.