EJB Security
elaineqs Jul 13, 2004 3:44 PMHi,
I'm tring to implemente EJB security using the following files with JBoss 3.2.3:
login-config.xml
....
<application-policy name = "framework">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
....
____________________
users.properties
admin=password
____________________
roles.properties
admin=teste
_________________________
ejb-jar.xml
.....
<display-name>testeejb</display-name>
<enterprise-beans>
<ejb-name>TesteBean</ejb-name>
core.ejb.TesteBeanHome
core.ejb.TesteBean
<ejb-class>core.ejb.TesteBeanEJB</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</enterprise-beans>
<assembly-descriptor>
<security-role>
Teste user
<role-name>teste</role-name>
</security-role>
<method-permission>
<role-name>teste</role-name>
<ejb-name>TesteBean</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
</method-permission>
</assembly-descriptor>
</ejb-jar>
_______________________
jboss.xml
....
<security-domain>java:/jaas/framework</security-domain>
<enterprise-beans>
<ejb-name>TesteBean</ejb-name>
<jndi-name>TesteBean</jndi-name>
</enterprise-beans>
_________________________
login.jsp
Username:
Password:
_____________________________
login.java (Servlet Login)
...
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
try {
UsernamePassworkHandler uph = new UsernamePassworkHandler((String) req.getParameter("username"), ((String) req.getParameter("password")).toCharArray()); (I implemented this class)
LoginContext lc = new LoginContext("framework", uph);
lc.login();
System.out.println("Successful Loggin");
Subject s = lc.getSubject();
System.out.println(s.toString());
// Try to access a protected EJB (only user teste can access the create method)
InitialContext ctx = new InitialContext();
TesteBeanHome home = (TesteBeanHome) ctx.lookup("TesteBean");
TesteBean bean = (TesteBean) home.create();
bean.writeText();
} catch (Exception e) {
e.printStackTrace();
}
} ...
_________________________________
Using those files, i got the following exception:
16:19:42,612 INFO [STDOUT] Successful Loggin
16:19:42,616 INFO [STDOUT] Subject:
Principal: admin
Principal: Roles(members:teste)
16:19:42,633 ERROR [SecurityInterceptor] Authentication exception, principal=null
16:19:42,634 ERROR [LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:164)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
at org.jboss.ejb.StatelessSessionContainer.internalInvokeHome(StatelessSessionContainer.java:319)
at org.jboss.ejb.Container.invoke(Container.java:720)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:101)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:90)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:45)
at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:173)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:85)
at $Proxy33.create(Unknown Source)
at login.doGet(login.java:35)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:220)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.jboss.web.tomcat.tc4.statistics.ContainerStatsValve.invoke(ContainerStatsValve.java:76)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2417)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:65)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:577)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:781)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:549)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
at java.lang.Thread.run(Thread.java:534)
_________________________________
What is missing to my application?? I don't want to use web application authentication. I want to use only EJB security. Is this possible?
Many thanks!