1 Reply Latest reply on Jun 18, 2003 11:56 PM by etrio

Jboss clientLoginModule authentication

kep May 22, 2003 12:03 AM

Jboss clientLoginModule authentication Posted: May 18, 2003 10:39 PM

I am using jboss 2.4.10 and read about the
jaas authentication and so forth

I have configured the sample client with
auth.conf setup externally and inside java,
with
- System.setProperty("java.security.auth.login.config","auth.conf");
AppCallbackHandler
- handler = new AppCallbackHandler("test", "test");
LoginContext lc = new LoginContext("my-client", handler);
all setup

the jboss allows me to login successfully at all time.

I output the login user/password param through the callback method with no problem.
but practically how do I make sure that those users not in the "list" can't login to use my EJB.
I can't find the match of users.properties and roles.properties with the loginContext above.

Anyone ? BTW, thank you.

Regards,
Pete

Re: Jboss clientLoginModule authentication Posted: May 21, 2003 5:35 AM

I have made the JAAS authentication works with JBoss 2.4.10 by checking the user's principal against users.properties / roles.properties / my-client.properties

My EJB's meta-inf, jboss.xml file contains below :-

<security-domain>java:/jaas/@security-domain@</security-domain>
<enterprise-beans>
..
..

It works only if I deployed the EJB directly into the deploy folder. When I login with invalid user id or password, JBoss server will invoke securityexception error

BUT if I start JBoss from command prompt with the previous EJB already loaded in deploy folder, then
JBoss no longer authenticate against the user-id and password, even wrong id and/or password allows the client to invoke the bean. Why?

Regards,
Pete

1. Re: Jboss clientLoginModule authentication

etrio Jun 18, 2003 11:56 PM (in response to kep)

The ClientLoginModule do no authenticate work. It just pass the login information to server.

So if you want to do authenticate on client, ClientLoginModule is not the right choice.
Actions