Cactus Testcases & JAAS Security
stupiddog Aug 17, 2003 4:19 PMI have developed some EJBs that are slightly secured (at the moment, they accept any authenticated user). I also have some Apache Cactus testcases, which get copied as servlets into the web application.
My jboss/client/auth.conf looks like this:
some-config {
org.jboss.security.auth.spi.IdentityLoginModule required
principal=cactus
roles=Adressat,EreignisquellenAdministrator,SystemAdministrator;
org.jboss.security.ClientLoginModule required
password-stacking="useFirstPass"
;
};
InformMeDomain {
org.jboss.security.ClientLoginModule required;
};
other {
// Example client auth.conf for using the SRPLoginModule
// org.jboss.srp.jaas.SRPLoginModule required
// password-stacking="useFirstPass"
// principalClassName="org.jboss.security.SimplePrincipal"
// srpServerJndiName="SRPServerInterface"
// debug=true
// ;
// org.jboss.security.auth.spi.UsersRolesLoginModule required;
// jBoss LoginModule
org.jboss.security.ClientLoginModule required;
// password-stacking="useFirstPass";
// Put your login modules that need jBoss here
};
The EJBs are secured in ejb-jar.xml like this:
...
<method-permission>
<ejb-name>LokalerAdressat</ejb-name>
<method-name>*</method-name>
</method-permission>
...
The security domain is set in jboss.xml:
<security-domain>java:/jaas/InformMeDomain</security-domain>
<enterprise-beans>
...
<ejb-name>LokalerAdressat</ejb-name>
<jndi-name>LokalerAdressatRemote</jndi-name>
<local-jndi-name>LokalerAdressat</local-jndi-name>
<ejb-local-ref>
<ejb-ref-name>ejb/SequenzLocalHome</ejb-ref-name>
<local-jndi-name>SequenzLocal</local-jndi-name>
</ejb-local-ref>
...
My jboss/server/default/conf/login-conf.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd">
...
<application-policy name="client-login">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
</application-policy>
...
<application-policy name="InformMeDomain">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
</application-policy>
...
In the same directory, I have set up users.properties and roles.properties.
In the testcase, I try to set up the connection like this:
public void setUp() throws Exception {
super.setUp();
// Anmeldung an JAAS
CallbackHandler handler = new MyHandler();
lc = new LoginContext("other", handler);
Subject subject;
try
{
// EXCEPTION GETS THROWN HERE:
lc.login();
subject = lc.getSubject();
log("authentication succeeded");
Iterator it = lc.getSubject().getPrincipals().iterator();
while(it.hasNext()) {
Object o = it.next();
System.out.println("principle: "+o.getClass().getName()+ " "+o);
}
}
catch(LoginException e)
{
log("authentication failed");
e.printStackTrace();
}
// DEBUG
InitialContext context = new InitialContext();
// Wer sind wir?
Object ref = context.lookup("LokalerAdressatRemote");
//In Home-Interface umwandeln
lokalerAdressatRemoteHome = (LokalerAdressatRemoteHome) PortableRemoteObject.narrow(ref, LokalerAdressatRemoteHome.class);
LokalerAdressatRemote lokalerAdressatRemote;
lokalerAdressatRemote = lokalerAdressatRemoteHome.create("vorname", "nachname", "passwort");
In the lc.login() line, the following exception occurs:
00:03:01,317 INFO [STDOUT] -- authentication failed
00:03:01,317 ERROR [STDERR] javax.security.auth.login.LoginException: Anmeldefehler: Alle Module werden ignoriert
00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
00:03:01,317 ERROR [STDERR] at java.security.AccessController.doPrivileged(Native Method)
00:03:01,327 ERROR [STDERR] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
00:03:01,337 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
00:03:01,337 ERROR [STDERR] at de.fernunihagen.informme.tests.cactus.TestLokalerAdressatTestClientCactus1.setUp(TestLokalerAdressatTestClientCactus1.java:92)
"Anmeldefehler: Alle Module werden ignoriert" seems to be a localized error message from the JDK and means "Login error: All modules were ignored".
What am I doing wrong?
Greetings,
Andreas Buschka