1 2 Previous Next 16 Replies Latest reply on Nov 25, 2003 3:23 AM by jimbrady

java client

radl01 Jul 2, 2003 11:35 AM

Hallo all,

I have a problem with ClientLoginModule. I code very simple SessionBean and very simple java client which should use ClientLoginModule to authenticate user.

Here are the config files on server-side

<container-configurations>
<container-configuration>
<container-name>Standard Stateful SessionBean</container-name>
<security-domain>java:/jaas/exa1</security-domain>
</container-configuration>
</container-configurations>
etc..

and login-config.xml

<application-policy name = "exa1">

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
<module-option name = "password-stacking">useFirstPass</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
<module-option name = "debug">true</module-option>

</application-policy>

On client side I have auth.conf like this:
client-login {
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
;

//password-stacking="useFirstPass"
// Put your login modules that need jBoss here
};

Short snap-shot of client app:
static class AppCallbackHandler implements CallbackHandler {
private String username;
private char[] password;
public AppCallbackHandler(String username, char[] password) {
this.username = username;
this.password = password;
}
public void handle(Callback[] callbacks) throws java.io.IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks instanceof NameCallback) {
NameCallback nc = (NameCallback)callbacks;
nc.setName(username);
} else if (callbacks instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback)callbacks;
pc.setPassword(password);
} else {
throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback");
}
}
}
}

public static void main(String args[]) throws Exception {
if( args.length != 3 )
throw new IllegalArgumentException("Usage: username password example");

System.setErr(System.out);
String name = args[0];
char[] password = args[1].toCharArray();
String example = args[2];
System.out.println("+++ Running SessionClient with username="+name+", password="+args[1]+", example=
"+example);
try {
System.out.println("before new AppCalllback");
AppCallbackHandler handler = new AppCallbackHandler(name, password);
System.out.println("after new AppCalllback");
LoginContext lc = new LoginContext(example, handler);
System.out.println("Created LoginContext");
lc.login();
System.out.println(lc.toString());
System.out.println(lc.getSubject().toString());
} catch (LoginException le) {
System.out.println("Login failed");
le.printStackTrace();
}

try {
InitialContext ctx = new InitialContext();
Object objRef = ctx.lookup("ejb/Salary");
SalaryHome home = (SalaryHome)javax.rmi.PortableRemoteObject.narrow(objRef,

etc.

I run java client with this script:

#!/bin/sh

if [ "x$JBOSS_HOME" = "x" ]; then
JBOSS_HOME="/opt/jboss"
export JBOSS_HOME
fi

$JRE_HOME/bin/java -Djava.security.auth.login.config=auth.conf -classpath .:auth.conf:$JBOSS_HOME/client/jbossall-client.jar:./ejb_sample_client.jar:./ejb_first.jar com.client.SalaryClient "$@"

1. param is username
2. param is paasword
3. param is ID of ClientLoginModule ("client-login") that is spec. in auth.conf

Problem:
On server side I have principal equals to null => I=ve got exception like this:
2003-07-02 17:05:48,151 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:162)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invokeHome(CachedConnectionInterceptor.java:215)
at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:128)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:88)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:243)
at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:74)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
at org.jboss.ejb.StatefulSessionContainer.internalInvokeHome(StatefulSessionContainer.java:398)
at org.jboss.ejb.Container.invoke(Container.java:694)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:359)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
at sun.rmi.transport.Transport$1.run(Transport.java:148)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:536)

Pleas help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Jan

1. Re: java client

petertje Jul 2, 2003 4:07 PM (in response to radl01)

Remove the password-stacking module option from your exa1 policy. You don't need it, and i think i've seen cases previously that were caused by this option...

Hth
Peter
Actions
2. Re: java client

radl01 Jul 3, 2003 3:02 AM (in response to radl01)

First thanks for your help.

I've tried what you said, but the result is the same.

Jan
Actions
3. Re: java client

radl01 Jul 3, 2003 5:22 AM (in response to radl01)

Sorry the exception was changed and now the principal is not null but empty (
Authentication exception, principal=
at org. jbos.....
)

Jan
Actions
4. Re: java client

radl01 Jul 3, 2003 8:29 AM (in response to radl01)

Now It's OK

Tahnks

Jan
Actions
5. Re: java client

philippeback Jul 3, 2003 7:00 PM (in response to radl01)

I have the exact same problem but after 2 days of messing with docs, groups and files, I cannot find the reason why.

How did you solved the issue ?

Sample files welcome etc.

Thanks in advance,

/Phil
Actions
6. Re: java client

radl01 Jul 4, 2003 1:46 AM (in response to radl01)

Hi Phil,

as attachement I send you my short example of configuration files and client-java app.

Good luck

Jan
Actions
7. Re: java client

philippeback Jul 4, 2003 2:09 AM (in response to radl01)

I've had a look at the sample.
I was not too far and this helps tremendously.

Thanks a lot for your quick answer !

I try it today and post my own version too.
Actions
8. Re: java client

philippeback Jul 5, 2003 5:37 AM (in response to radl01)

I tried the sample and it goes trough the whole stack down to the EJB.

... but...

I f I give a wrong username and/or password

... it goes trough too.

So, the configuration is recognized but the principal is not used.

Do your have the same behavior ?

Here is the output (from my ant run)

[java] before new AppCalllback
[java] after new AppCalllback
[java] Created LoginContext
[java] javax.security.auth.login.LoginContext@f4fb3
[java] Subject(Principals{}PublicCredentials{}PrivateCredentials{count=0})
[java] 0
[java] Got a context
[java] Lookup done
[java] Got a home
[java] Result:Hello Phil
Actions
9. Re: java client

fbdoliv Jul 6, 2003 5:49 PM (in response to radl01)

Hello list!!!

I'm trying yours examples, but nothing work!!!
I'm using ClientLoginModule, for client authentication, but I relly want to do by a database.

my auth.conf:
client-login {

// JBoss LoginModule
org.jboss.security.ClientLoginModule required
;
// Put your login modules that need JBoss here
};

my login-config.xml:
<application-policy name = "client-login">

<login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>

</application-policy>

<application-policy name = "MSSQLDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "sufficient">
<module-option name = "principal">bernauer</module-option>
<module-option name = "userName">bernauer</module-option>
<module-option name = "password">1234</module-option>
<module-option name = "roles">admin</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>
</login-module>
<login-module code ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name="dsJndiName">java:/MSSQLDS</module-option>
<module-option name="principalsQuery">select PASSWD from USER_PROFILE where USERNAME=?</module-option>
<module-option name="rolesQuery">select USER_ROLE, 'Roles' from USER_ROLE where USERNAME=?</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>

</application-policy>

How the docs say, the client app will authenticate by ClientLoginModule, and when do a call to a EJB, the username and pass will be authenticated in the DB. But I have the message:

Insufficient method permissions, principal=bernauer, method=create, interface=HOME, requiredRoles=[admin], principalRoles=null

How you can see, the roles are null.

Please Help!!!
And sorry my bad English.....

Thanks!
Actions
10. Re: java client

haraldgliebe Jul 6, 2003 6:53 PM (in response to radl01)

Hi,

your auth.conf is ok. Remove the first login-module entry (with org.jboss.resource.security.ConfiguredIdentityLoginModule) from your login-config.xml. This ConfiguredIdentityModule will always return the configured Principal "bernauer" with no roles, the option "roles" isn't recognized by this module. Since the login with this module always succeds and it has flag="sufficient" the database module isn't called at all.
So remove this login-module and try again.

Regards,
Harald
Actions
11. Re: java client

fbdoliv Jul 6, 2003 7:47 PM (in response to radl01)

Thanks, Harald, for your help, but....

if I remove this login-module, the container can't create the new tables. These username and password are the same for the database admin...

I believe that I make a mistake, but this work for me. Exist another way to do this?
My mssql-service.xml, if can help:












MSSQLDbRealm
<depends optional-attribute-name="ManagedConnectionFactoryName">


MSSQLDS


<config-property name="ConnectionURL" type="java.lang.String">jdbc:jtds:sqlserver://192.168.0.11:1433;DatabaseName=BernauerCRM</config-property>
<config-property name="DriverClass" type="java.lang.String">net.sourceforge.jtds.jdbc.Driver</config-property>

<config-property name="UserName" type="java.lang.String">bernauer</config-property>
<config-property name="Password" type="java.lang.String">1234</config-property>



<depends optional-attribute-name="OldRarDeployment">jboss.jca:service=RARDeployment,name=JBoss LocalTransaction JDBC Wrapper

<depends optional-attribute-name="ManagedConnectionPool">


0
50
5000
15

ByContainer

<depends optional-attribute-name="CachedConnectionManager">jboss.jca:service=CachedConnectionManager

<depends optional-attribute-name="JaasSecurityManagerService">jboss.security:service=JaasSecurityManager

java:/TransactionManager

jboss.jca:service=RARDeployer

And thanks again, for you help!!!!
Actions
12. Re: java client

haraldgliebe Jul 6, 2003 8:06 PM (in response to radl01)

Ok, I see, this ConfiguredIdentityModule ist used to specify the db user for MsSQL Server. In that case you shouldn't put the DBLoginModule into that application-configuration in the login-config.xml. Create a new application-configuration with a different name and move the DatabaseServerLoginModule to this configuration.
You'll also have to update the jboss.xml for your EJBs and specify this configuration as security-domain:

<security-domain>java:/jaas/<name of the configuration</security-domain>
...

Regards,
Harald
Actions
13. Re: java client

fbdoliv Jul 6, 2003 9:23 PM (in response to radl01)

Thanks!!! It's working!!!!!

I will help all people with the same problem, I promise!!!

Thanks! Thanks! Thanks!
Yupeee!!!!
Actions
14. Re: java client

radl01 Jul 7, 2003 2:51 AM (in response to radl01)

I've made a mistake in my login-config.xml.

Here is a new one:
<application-policy name = "other">

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "password-stacking">useFirstPass</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
<module-option name = "debug">true</module-option>
</login-module> !!!! here was the mistake

</application-policy>

Or you can use DB LoginModule
<application-policy name = "exa2">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/jdbc/FB/eimsprod</module-option>
<module-option name = "principalsQuery">select usr_password from tab02300 where usr_login=?</module-option>
<module-option name = "rolesQuery">select c.grp_label, 'Roles' from tab02300 a, tab00420 b, tab00400 c where a.usr_login=? and a.per_id=b.per_id and b.grp_id=c.grp_id</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
<module-option name = "password-stacking">useFirstPass</module-option>
</login-module>

</application-policy>

I hope it helps you.

Jan
Actions

1 2 Previous Next

Go to original post