12 Replies Latest reply on Feb 10, 2004 11:14 AM by neutro

    Log-In-Problem using a LoginEJB and a Custom LoginModule

    neutro

      Hi there
      I am using JBoss 3.2.3.

      I have to secure beans, so far no problem.

      The client will be a standalone java app. I can't use the auth.conf file to tell the client which LoginModule to use.

      So I wrote an unsecured EJB in which I create the LoginContext and do login an so on. Still no Problem. Because I need more information aboute the user which I store in a properties object I wrote my own LoginModule (which extends AbstractServerLoginModule) and my own CallbackHandler. And it works.

      Now I want to call the secured bean as the subject returned from my custom PropertiesLoginModule (I receive the subject from my LoginEJB which simply returns LocinContext.getSubject()).
      Then I try
      Subject.doAs(s, new PrivilegedAction()
      {
      //calling secured EJB
      }
      where s is the returned subject. If I call System.out.println(s) I get:
      Betreff:
      Principal: sep
      Principal: Roles(members:JBossAdmin)

      I guess this is all right so far.

      but from the Subject.doAs method I get an Exception:
      Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[], principalRoles=null

      So something has gone wrong, I think.

      Now I tried this:
      SecurityAssociation.setSubject(s);
      SecurityAssociation.setPrincipal((Principal)s.getPrincipals().toArray()[0]);

      which made the following Exception:
      Insufficient method permissions, principal=sep, method=create, interface=HOME, requiredRoles=[], principalRoles=null

      So I think I have to set the Roles, can anybody help me with this, or am I completely wrong with my approach?

      I tried to call
      SecurityAssociation.pushRunAsRole(new SimplePrincipal("JBossAdmin"));
      but this doesn't change anything although
      SecurityAssociation.peekRunAsRole() reurned the right thing (a SimplePrincipal with "JBossAdmin" as name.

      So now I don't have a clue how to continue.

      Would be glad if someone could help me, because reading almost all entries in this forum didn't help me in this case.

      have a nice day
      SVen

        • 1. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
          rza

          Hi,

          It isn't the truth that you can't tell stanalone client in auth.conf file which login module to use. You can do it simply in VM arguments during start of application: -Djava.security.auth.login.config="auth.conf".
          If you want more details just ask.

          Now about your problem.
          It isn't a good idea to create LoginContext inside unsecured EJB. LoginContext should be created on the client side because security associations are beeing used when you call secured EJB. I imagine that in the case you created LoginContext inside unsecured EJB, every call to secured EJB has to go through this unsecured EJB because of authenticaiton/authorization process. In addition you have to set to different container configurations for secured and unsecured EJB in your application server.

          Regarding to your posted exception tracks I suppose that in your case there is no role assigned to the EJB you call. If you use XDoclets you have to set the following in the top of the EJB definition: @ejb.permission role-name = "<your_role>".
          The <your_role> your application retrieves from your JAAS login module on the server side.
          If you don't use XDoclet your have to put into ejb-jar.xml the following:
          <assembly-descriptor >
          <security-role>
          <role-name>your_role</role-name>
          </security-role>

          <method-permission >
          <role-name>your_role</role-name>

          <ejb-name>YOUR_EJB</ejb-name>
          <method-name>*</method-name>

          </method-permission>
          </assembly-descriptor>

          Regards,
          Robert

          • 2. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
            neutro

            Hi Robert

            thank you for your answer.
            I know that I "normally" can use the auth.conf.
            But I don't want to, because it would be a too great effort if I want to change the login-module because I would have to update each clients auth.conf which I want to avoid. Or am I getting this wrong?!
            I guess if I want to change the necessary login-module each client must change its auth.conf.

            My idea was to use the usecured EJB as some kind of connection between the client and the LoginContext. The EJB has a method login() which creates a new LoginContext using my own login-module configured in the login-config.xml, so if I want to change it I simply have to edit the login-config.xml! The EJB has a method .getSubject() which returns the authenticated subject.

            It's possible that I am on a total wrong way.

            What I don't understand is why I can't use the authenticated subject to call the secured EJB (if I understand you right I can't). Because you said every call must go through the unsecured EJB. I wanted to deal with this by calling the Subject.doAs method.

            Why do you mean I have to set different container configurations?

            I am using xdoclet and every method has either @ejb.permission role-name="JBossAdmin" or
            @ejb.permission unchecked="true"
            And the Exception occured when calling the create method which has unchecked permission.

            Regards,
            SVen

            • 3. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
              neutro

              I just want the method permissions to be regarded so I use the org.jboss.security.ClientLoginModule
              is this a fault?

              Maybe this helps to find the problem:

              jboss.xml
              //=============================

              <security-domain>java:/jaas/client-login</security-domain>
              <enterprise-beans>

              <ejb-name>Hello</ejb-name>
              <jndi-name>Hello</jndi-name>
              <local-jndi-name>HelloLocal</local-jndi-name>
              <method-attributes>
              </method-attributes>

              </enterprise-beans>
              <resource-managers>
              </resource-managers>


              //=============================

              ejb-jar.xml
              //=============================
              <ejb-jar >

              <![CDATA[No Description.]]>
              <display-name>Generated by XDoclet</display-name>

              <enterprise-beans>

              <!-- Session Beans -->

              <![CDATA[]]>
              <display-name>Hello</display-name>

              <ejb-name>Hello</ejb-name>

              world.HelloHome
              world.Hello
              <local-home>world.HelloLocalHome</local-home>
              world.HelloLocal
              <ejb-class>world.HelloBean</ejb-class>
              <session-type>Stateless</session-type>
              <transaction-type>Container</transaction-type>

              <security-role-ref>
              <role-name>admin</role-name>
              <role-link>JBossAdmin</role-link>
              </security-role-ref>



              <!--
              To add session beans that you have deployment descriptor info for, add
              a file to your XDoclet merge directory called session-beans.xml that contains
              the markup for those beans.
              -->

              <!-- Entity Beans -->
              <!--
              To add entity beans that you have deployment descriptor info for, add
              a file to your XDoclet merge directory called entity-beans.xml that contains
              the markup for those beans.
              -->

              <!-- Message Driven Beans -->
              <!--
              To add message driven beans that you have deployment descriptor info for, add
              a file to your XDoclet merge directory called message-driven-beans.xml that contains
              the <message-driven></message-driven> markup for those beans.
              -->

              </enterprise-beans>

              <!-- Relationships -->

              <!-- Assembly Descriptor -->
              <assembly-descriptor >
              <!--
              To add additional assembly descriptor info here, add a file to your
              XDoclet merge directory called assembly-descriptor.xml that contains
              the <assembly-descriptor></assembly-descriptor> markup.
              -->
              <security-role>
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>
              </security-role>

              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>


              <ejb-name>Hello</ejb-name>
              <method-intf>LocalHome</method-intf>
              <method-name>create</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>


              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-intf>Home</method-intf>
              <method-name>create</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>

              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-name>remove</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>

              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-name>remove</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>

              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-intf>Local</method-intf>
              <method-name>hello</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>

              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-intf>Remote</method-intf>
              <method-name>hello</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>

              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-intf>Local</method-intf>
              <method-name>hello2</method-name>
              <method-params>
              </method-params>

              </method-permission>
              <method-permission >
              <![CDATA[description not supported yet by ejbdoclet]]>
              <role-name>JBossAdmin</role-name>

              <![CDATA[]]>
              <ejb-name>Hello</ejb-name>
              <method-intf>Remote</method-intf>
              <method-name>hello2</method-name>
              <method-params>
              </method-params>

              </method-permission>
              </assembly-descriptor>
              </ejb-jar>

              • 4. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                rza


                Regarding your question: Why do you mean I have to set different container configurations?

                Answer: I've also problem with access to EJB (working under JAAS) method for which unchecked="true" (I will be working on this in the future). Thus, I think that another solution is to set two container configurations: secured and unsecured.


                Show me your 'client-login' statement in your login-config.xml file. I have to know more about your configuration.

                Because you want to authenticate/authorize users inside EJB you propably will have the similar problem as I have (security associations for many users inside single VM). Take a look at my post: http://jboss.org/index.html?module=bb&op=viewtopic&t=45081
                What do you think of this?

                regards,
                Robert

                • 5. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                  neutro

                  my "client-login" is the default entry in the login-config.xml:
                  <application-policy name = "client-login">

                  <login-module code = "org.jboss.security.ClientLoginModule"
                  flag = "required">
                  </login-module>

                  </application-policy>

                  As I mentioned I just use this to make my method-permissions work.

                  Regarding to your thread, it seems like beeing quite siliar problems I tell you if I found a solution so you can try.

                  • 6. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                    rza

                    I have an alternative solution for you with container configurations I mentioned above.

                    If you use XDoclet use mergeDir property to set additional container configuration (if you don't know how to use it, ask). So you have to create a file jboss-container.xml inside you mergeDir directory and put the following content (example refers to session bean, but by analogy can be applied to EJB):

                    <container-configurations>
                    <container-configuration extends="Standard Stateless SessionBean">
                    <container-name>YOUR Stateless SessionBean</container-name>
                    <security-domain/>
                    </container-configuration>

                    In your bean you have to add XDoclet tag:
                    @jboss.container-configuration name = "YOUR Stateless SessionBean"

                    Now you don't have to login when you call bean methods.

                    regards,
                    Robert

                    • 7. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                      rza

                      Comming back to your solution, see the following descripiton (http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas_p.html):
                      "With EJB 2.0, you can now specify the unchecked element instead of the role-name element to declare that an authenticated user can access one or more methods."

                      So, you can see that authentication is required. Don't mislead authorization with authentication.
                      Authentication means that your JAAS login module recognizes you as a user but you may not have permission to call the method.
                      What does it means? It means that when you have all your EJB working under one container configuration with JAAS as a security manager, it is a must to authenticate when calling the methods. This means you have to create LoginContext on the client side (standalone application). 'unchecked ' gives you the opportunity to call the methods to which the authenticated user doesn't have permission.
                      To avoid this problem you can apply two container configurations I described above.

                      Regardless your solution, my problem still remains unsolved (http://jboss.org/index.html?module=bb&op=viewtopic&t=45081) :(

                      By the way, using auth.conf in client application you can keep up to date your login module with WebStart solution.

                      Robert

                      • 8. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                        neutro

                        I know that unchecked doesn't mean that any user is allowed to run the code.

                        But I don't understand how it should help me with my problem. After having called the unsecured bean (which means there are no method-permissions and there is no SecurityDomain set) I get an authenticated Subject from my LoginEJB. So i'm calling the securedEJBs method (which has unchecked permission) as an authenticated subject!


                        The JAAS Security Manager authenticated the subject which I get returned by Logincontext.getSubject() and which I pass to my client and I perform all method calls on the secured bean as the authenticated subject.

                        Maybe this wasn't clear.

                        But thank you for yout help!

                        • 9. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                          rza

                          You wrote:
                          "The JAAS Security Manager authenticated the subject which I get returned by Logincontext.getSubject() and which I pass to my client and I perform all method calls on the secured bean as the authenticated subject. "

                          How do you call secured EJB from client using authenticated subject?
                          Send me your client code.

                          Robert

                          • 10. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                            neutro

                            I am calling the secured bean using this code:

                            // calling unsecured bean which does the login stuff
                            //now get the authenticated subject
                            Subject s = LoginBean.getSubject()
                            /**the getSubjectmethod returns LoginContext.getSubject()*/
                            Subject.doAs(s, new PrivilegedAction()
                            {
                             public Object run()
                             {
                             InitialContext ctx = new InitialContext()
                             HelloHome h = (HelloHome)ctx.lookup("Hello");
                             Hello he = h.create();
                             lblRes.setText(he.hello2());
                             }
                            
                            });


                            Parameters of Subject.runAs(...):
                            subject - the Subject that the specified action will run as. This parameter may be null.

                            action - the code to be run as the specified Subject.


                            Maybe I am totally wrong but this should call the secured Bean as the authenticated Subject.

                            Regards,
                            SVen

                            • 11. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                              starksm64

                              Regarding the original Subject.doAs() construct, this does not define an authenticated Subject. It enables the use of Subject based permissions, which JBoss does not support as an authorization mechanism.

                              • 12. Re: Log-In-Problem using a LoginEJB and a Custom LoginModule
                                neutro

                                Thank you Scott
                                I guess this was the fault.

                                I thought JBoss looks for the subject which calls a secured Method and gets the roles from the subject.

                                So I have to find another way.

                                Thank you all for your help

                                best regards
                                SVen