Hi all,

I have scoured the Internet and pounded my head against the wall for hours looking for answers to my questions. I have found a bunch of stuff but nothing seems to be working for me. I am beginning to think that I may be asking the wrong questions or totally am missing some basic principle!!

My main question is with regards to the security architecture between Tomcat and JBoss. I have a struts web application which is run in the web container and some EJB's that run in the application container. Nothing new there.

My question is with regards to how security works in this situation. I am using JAAS and the DatabaseServerLoginModule. How do the credentials and principals get passed around between the containers? Does the JAAS security manager do everything for me or do I have to pass some of that information around when trying to get a Context in the app container from the web container.

I currently have a system set up to where it will authenticate the user correctly, by creating a LoginContext and the first time I try to create an InitialContext everything works fine. Then when the web user sends the next request to the web container, it fails when I try to create an InitialContext. Its almost as if I should be placing the Subject, which has been successfully authenticated into a place somewhere where the containers can get to them when trying to authorize. Am I on the correct path?

I guess I am looking for an answer to my problem as much as I am looking for the correct way of looking at the big picture. If there are any other sources that may help clarify this it would be much appreciated.

Below are the code snippets along with the error message I am getting. It is the typical java.lang.SecurityException: Authentication exception, principal=null error.

What follows are:

login-config.xml snippet
LoginContext snippet (which works)
InitialContext snippet (which works the first time and never again)
log output from JBoss

---------------------------------------------------------------------
login-config.xml snippet



<application-policy name = "Camp">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/PostgresDS</module-option>
<module-option name="principalsQuery">SELECT password FROM tblPrincipals where username=?</module-option>
<module-option name="rolesQuery">select user_role as Roles, 'Roles' from tblRoles where username=?</module-option>
</login-module>
<login-module code = "org.jboss.security.ClientLoginModule" flag="required"></login-module>

</application-policy>

NOTE: One thing to note here is that unless it returned the string "Roles" for the second column in the rolesQuery I could not get it authenticating AT ALL. Very weird. It just came back with the principalRoles=null error that is so common.

----------------------------------------------------------------------
LoginContext snippet



......
char[] pass = password.toCharArray();
PassiveCallbackHandler cbh = new PassiveCallbackHandler(userName, pass);
LoginContext lc = new LoginContext("Camp", cbh);
lc.login();
Subject s = lc.getSubject();
.....


NOTE: Do I need to do something with the Subject after its been authenticated? DO I need to put it into the Context or into the Tomcat session? I do not do anything with it after actually getting it from the LoginContext.

----------------------------------------------------------------------
InitialContext snippet


......
System.out.println("Performing <CAMP/report> home lookup");
try {
Context ctx = new InitialContext();
Object home = ctx.lookup("CAMP/report");
report_home pSearch = (report_home)
PortableRemoteObject.narrow (home, report_home.class);
return pSearch.create();
} catch (Exception e) {
e.printStackTrace();
}

NOTE: Do I need to be giving the InitialContext the principal and credentials to the context before doing a lookup?

----------------------------------------------------------------------
Log snippet


12:31:20,717 INFO [STDOUT] Performing <CAMP/report> home lookup
12:31:20,950 INFO [STDOUT] java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Authentication exception, principal=null
12:31:20,952 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:369)
12:31:20,954 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:124)
12:31:20,955 INFO [STDOUT] at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
12:31:20,956 INFO [STDOUT] at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613)

----------------------------------------------------------------------