3 Replies Latest reply on Sep 28, 2004 11:32 AM by mttu

    A web app acting as security proxy

    danl_thompson
    danl_thompson Sep 16, 2004 4:52 PM

      I have a secure ejb app, and I need the web app to access it. BUT I don't want the users to authenticate, I want the web container to authenticate.

      So basically the web container acts as a security proxy, authenticating itself, so the users don't have to. and acting on their behalf in order to access the EJB app.

      HOW the heck do I get there... I understand what to do if I had a stand-alone java app I'd configure the clientLoginModule. Is the web contianer configurable somehow to do this?

      dt

      • 2688 Views
      • Tags:
        • 1. Re: A web app acting as security proxy
          danl_thompson
          danl_thompson Sep 16, 2004 5:31 PM (in response to danl_thompson)

          AH... UsersRolesLoginModule with unauthenticatedIdentity module option....

          Thanks all

            • Actions
          • 2. Re: A web app acting as security proxy
            piobair
            piobair Sep 27, 2004 2:06 PM (in response to danl_thompson)

            I'm doing something similar to this, but haven't managed to find the secret sauce that works yet.

            Using JBOSS 3.2.4 . . .

            What's really confusing is that I can get things to work flawlessly from a stand-alone JUnit. But, once run inside a servelet container I get a classic principal=null exception.

            The client is using hte ClientLoginModule, which shouldn't be attempting to authenticate at the client, right? However the exception is being thrown from the login() method!


            Only thing fancy here is the classpath lookup of the auth.config (which is executing okay).
            private LoginContext lc = null;

            public void login() {
 Properties creds = ConfigurationLocator.getProperties(CREDENTIALS_KEY);


 URL seedFile = this.getClass().getClassLoader().getResource(LOGIN_CONF);
 String path = seedFile.getPath();
 System.setProperty(LOGIN_CONF_PROP, path);

 String user = creds.getProperty(PRINCIPAL);
 String pass = creds.getProperty(CREDENTIAL);
 CallbackHandler handler = new LoginCallbackHandler(user, pass.toCharArray());
 try {
 lc = new LoginContext(creds.getProperty(REALM), handler);
 lc.login();
 } catch (LoginException e) {
 e.printStackTrace();
 }
 }


            client auth.conf: 
            clientRealm {
 org.jboss.security.ClientLoginModule required;
};



            server login-conf.xml 
            <application-policy name = "messageGateRealm">
 <authentication>
 <login-module code="org.jboss.security.ClientLoginModule"
 flag="required"/>

 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required" />
 <module-option name="unauthenticatedIdentity">nobody</module-option>
 </authentication>
 </application-policy>



              • Actions
            • 3. Re: A web app acting as security proxy
              mttu Sep 28, 2004 11:32 AM (in response to danl_thompson)

              hjklkjlkjl

                • Actions