2 Replies Latest reply on Apr 19, 2004 10:27 AM by inkypinky

    jaas jsp login problem

    inkypinky

      Hi,



      I'm using the Tomcat server which comes with jboss. I'm having a problem with jboss login using jaas via jsp. I successfully manage to login using jaas. The "System.out.println(userPrincipalName);" in the jsp snippet returns "test", all well and good so far. This then calls getUser() in the ejb snippet at the bottom of this mail. The "System.out.println(ctx.getCallerPrincipal().getName());" called in the ejb snippet below returns "nobody" though.



      I'm not sure if the system is only logging the user into Tomcat or if it is because there are no <method-permission> tags in the ejb-jar.xml. I don't need security for my beans yet but for ctx.getCallerPrincipal() to work does the bean need a method permission tag with unchecked instead of a role name? If the system is only logging the user into Tomcat is there a way to pass this login info on?

      Can this be done at all or does the login have to happen on the ejb side of the code rather than in the jsp? I would have thought that it would work on the jsp side as it is calling a login-module defined in jboss's login-config.xml


      Any help would be much appreciated.



      Thanks in advance,



      Neil Mendoza

      --------------------------------------jsp snippet----------------------
       String user="test";
       String pass="test";
       try
       {
       UsernamePasswordHandler handler = new UsernamePasswordHandler(user, pass.toCharArray());
       LoginContext loginContext = new LoginContext("ias-login", handler);
      
       loginContext.login();
       try
       {
       String userPrincipalName = ((Principal) loginContext.getSubject().getPrincipals().iterator().next()).getName();
       if (userPrincipalName == null) System.out.println("name is null!");
      
       else System.out.println(userPrincipalName);
      
       UserValue userValue = UserManagerUtil.getLocalHome().create().getUser();
      
       session.setAttribute("myUserValue", userValue);
      
       %>
       <jsp:forward page="./index.jsp?action=workspace" />
      
       <%
       }
       catch (javax.ejb.FinderException e)
       {
       errorMessage = "The login details you entered were valid with jaas but not with ias.";
       }
       }
       catch (javax.security.auth.login.LoginException e)
       {
       errorMessage = "The login details you entered were not valid.";
       }
      -----------------------------------end of jsp------------------------------
      
      
      ------------------------ejb snippet--------------------------------
       /**
       * Get the "logged-in" user from the caller principal
       *
       * @return The logged-in user.
       * @ejb.interface-method view-type="both"
       * @ejb.transaction type="Required"
       **/
       public UserValue getUser() throws FinderException {
       try {
       UserLocalHome cHome = UserUtil.getLocalHome();
       System.out.println(ctx.getCallerPrincipal().getName());
       UserLocal ul = cHome.findByUserName(ctx.getCallerPrincipal().getName());
       return (UserValue) ul.getUserValue();
       } catch ( NamingException ne ) {
       throw new EJBException("An error occurred while connecting to the Application Server.", ne );
       }
       }
      --------------------------end of ejb-----------------------------------
      



        • 1. Re: jaas jsp login problem
          starksm64

          For ctx.getCallerPrincipal() to return a value there must be a jboss.xml in the ejb jar specifying the security-domain, and there must be a method-permission that allows access to the caller.

          • 2. Re: jaas jsp login problem
            inkypinky

            OK, here is something that hasn't really been made clear on any posts I have read in this forum. If you want to use Tomcat with the clientloginmodule on the client side and want the server side to log you in using a databaseservermodule you have to perform the jaas client login and logout every time you send a request for a page.

            If you do not do this it will lead to unpredictable results. The JBoss login module ClientLoginModule has an optional parameter for multi-threaded behaviour. If this parameter is set to false, the login will be global, meaning that the same user credentials will be associated with any request. This can for example lead to all users sharing the identity of the user who last logged in. When set to true, user credentials will be associated with a particular thread, leading to a user not being logged in or unexpectedly changing identify.