3 Replies Latest reply on Jun 7, 2005 8:50 PM by monowai

Sorry, but another prinicpal propegation issue

monowai May 25, 2005 1:02 AM

I hate to type this, but I?m having issues with JAAS caller principal propagation.

For what it?s worth, I am running 3.2.6 with a DatabaseLoginModule configured. I added the ClientLoginModule bit after reading some of the other posts here. Needless to say, I've tried removing and relocating it.

<application-policy name = "fusion">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
 flag = "required">
 <module-option name="debug">true</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="unauthenticatedIdentity">mikeh</module-option>
 <module-option name = "dsJndiName">java:/fusion</module-option>
 <module-option name = "principalsQuery">select Password from V_SYS_USER where UID=?</module-option>
 <module-option name = "rolesQuery">select Role, null from V_SYS_USER_ROLES where UID=?</module-option>
 </login-module>
 <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module>
 </authentication>
 </application-policy>

Basically, all my userID?s and Roles are working perfectly on the client side. I am happily authenticating via Jaas and can successfully check roles. All is well with the world in JSP land. My JSPs are secured by my security-domain and are using FORM based authentication.

The issue seems to be with propagating the authenticated Principal to the EJB world. I have my ejb-jar.xml entries set to

<security-identity><use-caller-identity/></security-identity>

?, but the container is always interpreting the caller as the ?unauthenticatedIdentity? as defined in my Login Module.

When

SecurityInterceptor:checkSecurityAssociation(Invocation mi)

is called, the principal is null. So by this stage I guess it hasn?t been able to obtain the <use-caller-identity>.

When the container gets around to

JaasSecurityManager: doesUserHaveRole()
SubjectActions.getActiveSubject()

returns the subject for the ?unauthenticatedIdentity? and all it?s associated roles. Authentication definitely works but only because an unauthenticatedIdentity has been supplied. If I remove it from login-conf.xml, then I can?t log in to my app, likewise if I remove critical roles. I?m sure I shouldn?t have to delve so deep in to the bowels of JBOSS to get this configured right?

I have read Chapter 8 and every post that seemed vaguely related to this issue (of which there are many!). But call me thick, it seems 2 steps forward 1 step back.

Any and all pointers gratefully accepted.

Thx
Mike

1. Re: Sorry, but another prinicpal propegation issue

starksm64 Jun 4, 2005 9:00 AM (in response to monowai)

There is no point to including the ClientLoginModule in the server login-config.xml as every context that performs authentication propagates the associated security context. Most likely you are not under a secured resource path in the web app and there is no security context to propagate.
Actions
2. Re: Sorry, but another prinicpal propegation issue

monowai Jun 5, 2005 9:31 PM (in response to monowai)

Cheers Scott. You are of course correct. My misunderstanding about Form Based Authentication (RTFM!).

Interestingly once I got past this, the first call to any secured EJB would generate an insufficient permissions for principal [mikeh] error to occur. A second call to the EJB container and everything is fine from that point on. I was logging out the Caller Principal in the EJB, and it was correct each time. Seems to be some JBOSS caching issue of credentials for the caller?

I assume this is a 3.2.6 issue? A quick scan of the forums reveals an issue with second calls to EJB's under v 4.0.2.
Actions
3. Re: Sorry, but another prinicpal propegation issue

monowai Jun 7, 2005 8:50 PM (in response to monowai)

To answer my own question, it seems that removing the second login-module eliminated this issue.
Actions

Go to original post