-
1. Re: Will $100 Manual help us to resolve this security issue
frankgrimes Oct 19, 2004 2:03 PM (in response to subri.shastry)Just a quick tip.
I've noticed that in order to get help on these (and most Open Source) fora, it helps to provide specific information.
Such as:
JBoss version
JVM
OS
Stack Trace (where applicable) -
2. Re: Will $100 Manual help us to resolve this security issue
starksm64 Oct 19, 2004 2:10 PM (in response to subri.shastry)No, the docs are going to help with this issue. I would need to see a sample ear that illustrates what you are trying to do. There is nothing special about form authentication in terms of how the security context propagates to ejbs. If you want further help with this create a sample ear and attach it to a bug report on sourceforge:
http://sourceforge.net/tracker/?group_id=22866&atid=376685 -
3. Re: Will $100 Manual help us to resolve this security issue
subri.shastry Oct 19, 2004 3:33 PM (in response to subri.shastry)Thanks we shall send the ear file. In the mean time I had a question.
we are using a Struts Action Class for login which gets invoked and we are succesfully authenticated when we call lc.login(), our custom login gets invoked correctly. However our web container does not know about this authentication hence it does not get forwarded to the first jsp in the web.xml but continues to display the login page. Hence we are using j_security_check in the jsp after we which we call JAAS. We call JAAS because j_security_check does invoke our Custom Login module.
We should not be doing both j_security_check and JAAS both.
Weblogic has a very clean solution we call ServletAuthenticator.runAs(subject, httprequest) and we do not do j_security_check or doAs for the session bean etc.
If someone could tell me what is that we need to do to propogate the authentication to the web layer and ejb layer would really helpful as now I realize that the manual will not talk about this
JBoss Version: 3.2.5
OS: Microsoft Professional XP
JVM: Sun JDK 1.4
Stack Trace: -
4. Re: Will $100 Manual help us to resolve this security issue
subri.shastry Oct 19, 2004 3:37 PM (in response to subri.shastry)Sorry stack trace missing above...
14:33:37,531 ERROR [LogInterceptor] RuntimeException:
java.lang.IllegalStateException: No security context set
at org.jboss.ejb.EnterpriseContext$EJBContextImpl.getCallerPrincipal(EnterpriseContext.java:276)
at com.retalix.convergence.prompt2.invoice.ejb.InvoiceManagerBean.getInvoices(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:
683)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor
.java:185)
at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceIntercepto
r.java:72)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84) -
5. Re: Will $100 Manual help us to resolve this security issue
starksm64 Oct 19, 2004 8:39 PM (in response to subri.shastry)If the security-domain you use to perform the form authentication includes your custom login module, any ejbs accessed from within secured web content will automatically propagate the security context to ejbs. Otherwise, you need to do a JAAS login as described in the JAAS Howto in this forum.
-
6. Re: Will $100 Manual help us to resolve this security issue
subri.shastry Oct 22, 2004 3:25 PM (in response to subri.shastry)I have sent the bug report to the sourceforge but when I try to attach the .ear file I get error invalid file name
-
7. Re: Will $100 Manual help us to resolve this security issue
subri.shastry Oct 22, 2004 4:59 PM (in response to subri.shastry)Checked the box which says if you want to send attachments, check on this box.
When I click on Submit Change after sometime I get error "Invalid Filename"
The .ear file that I am trying to attach is around 5MB -
8. Re: Will $100 Manual help us to resolve this security issue
jgc195 Nov 1, 2004 12:05 PM (in response to subri.shastry)"scott.stark@jboss.org" wrote:
I would need to see a sample ear that illustrates what you are trying to do."subri.shastry@retalix.com" wrote:
The .ear file that I am trying to attach is around 5MB
Are you trying to annoy him on purpose?