8 Replies Latest reply on Nov 1, 2004 12:05 PM by jgc195

    Will $100 Manual help us to resolve this security issue

    subri.shastry

      I use JAAS for web-based Login. The first time I access the EJB session Bean and do a getCallerPrinciple() I do get the Caller correctly.
      However when I go to a different screen and do the getCallerPrinciple() I get exception 'IllegalState' for the unauthenticated subject.

      Before making a call to getCallerPrinciple() inside the SessionBean the 2nd time, I call Subject.DoAs(..) in the caller but still this does not help and also we were told by Scott Stark that DoAs(..) does not mean anything for JBoss.

      There is no Form Based Authentication in the JAAS HowTo examples.

      We are a Weblogic shop and are really keen on marketing JBoss to our customers but that requires us to port the application. We are 90% there but this problem is preventing us from proceeding further.

        • 1. Re: Will $100 Manual help us to resolve this security issue
          frankgrimes

          Just a quick tip.
          I've noticed that in order to get help on these (and most Open Source) fora, it helps to provide specific information.

          Such as:

          JBoss version
          JVM
          OS
          Stack Trace (where applicable)

          • 2. Re: Will $100 Manual help us to resolve this security issue
            starksm64

            No, the docs are going to help with this issue. I would need to see a sample ear that illustrates what you are trying to do. There is nothing special about form authentication in terms of how the security context propagates to ejbs. If you want further help with this create a sample ear and attach it to a bug report on sourceforge:

            http://sourceforge.net/tracker/?group_id=22866&atid=376685

            • 3. Re: Will $100 Manual help us to resolve this security issue
              subri.shastry

              Thanks we shall send the ear file. In the mean time I had a question.
              we are using a Struts Action Class for login which gets invoked and we are succesfully authenticated when we call lc.login(), our custom login gets invoked correctly. However our web container does not know about this authentication hence it does not get forwarded to the first jsp in the web.xml but continues to display the login page. Hence we are using j_security_check in the jsp after we which we call JAAS. We call JAAS because j_security_check does invoke our Custom Login module.
              We should not be doing both j_security_check and JAAS both.

              Weblogic has a very clean solution we call ServletAuthenticator.runAs(subject, httprequest) and we do not do j_security_check or doAs for the session bean etc.

              If someone could tell me what is that we need to do to propogate the authentication to the web layer and ejb layer would really helpful as now I realize that the manual will not talk about this

              JBoss Version: 3.2.5
              OS: Microsoft Professional XP
              JVM: Sun JDK 1.4
              Stack Trace:

              • 4. Re: Will $100 Manual help us to resolve this security issue
                subri.shastry

                Sorry stack trace missing above...

                14:33:37,531 ERROR [LogInterceptor] RuntimeException:
                java.lang.IllegalStateException: No security context set
                at org.jboss.ejb.EnterpriseContext$EJBContextImpl.getCallerPrincipal(EnterpriseContext.java:276)
                at com.retalix.convergence.prompt2.invoice.ejb.InvoiceManagerBean.getInvoices(Unknown Source)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:324)
                at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:
                683)
                at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor
                .java:185)
                at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceIntercepto
                r.java:72)
                at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84)

                • 5. Re: Will $100 Manual help us to resolve this security issue
                  starksm64

                  If the security-domain you use to perform the form authentication includes your custom login module, any ejbs accessed from within secured web content will automatically propagate the security context to ejbs. Otherwise, you need to do a JAAS login as described in the JAAS Howto in this forum.

                  • 6. Re: Will $100 Manual help us to resolve this security issue
                    subri.shastry

                    I have sent the bug report to the sourceforge but when I try to attach the .ear file I get error invalid file name

                    • 7. Re: Will $100 Manual help us to resolve this security issue
                      subri.shastry

                      Checked the box which says if you want to send attachments, check on this box.

                      When I click on Submit Change after sometime I get error "Invalid Filename"

                      The .ear file that I am trying to attach is around 5MB

                      • 8. Re: Will $100 Manual help us to resolve this security issue
                        jgc195

                         

                        "scott.stark@jboss.org" wrote:
                        I would need to see a sample ear that illustrates what you are trying to do.


                        "subri.shastry@retalix.com" wrote:
                        The .ear file that I am trying to attach is around 5MB


                        Are you trying to annoy him on purpose?