8 Replies Latest reply on Aug 1, 2005 7:43 PM by mrmo

Using JAAS in a Servlet? No Pricipal propagation?!

mrmo Aug 1, 2005 1:55 PM

Well I'm working on this small test app:

Basically I have a secured SessionBean I'd like to call.
Now I have my Servlet setup to
have

lc = new LoginContext(d,new UsernamePasswordHandler(u,p.toCharArray()));

after that I do something like:
TestUtil.getLocalHome().create();

I get a securityexception. Because I do not have the required roles.
To the Bean I seem to be Guest. Wich is the fallback account. And the one I
logged in with was root

I did verfy that my login did work and containd all the required roles.
So, do I have missed somthing?

here's the code

protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 throws ServletException,
 IOException {
 LoginContext lc = null;
 resp.setContentType("text/html");
 resp.getWriter().println("<html><head><title>Stub Test</title></head><body>");
 resp.getWriter().println("<h1>JAAS / ACL Test</h1>");
 try {
 // LOGIN

 try {
 lc = new LoginContext("domain",new UsernamePasswordHandler("root","password".toCharArray()));
 lc.login();
 TestUtil.getLocalHome().create();
 lc.logout();
 } catch (LoginException e) {
 System.out.println("login Failed");
 }
 } catch (CreateException e) {
 e.printStackTrace(resp.getWriter());
 } catch (NamingException e) {
 e.printStackTrace(resp.getWriter());
 } catch (FinderException e) {
 e.printStackTrace(resp.getWriter());
 } catch (Exception e) {
 e.printStackTrace(resp.getWriter());
 }
 resp.getWriter().println("</body></html>");
 }

kindest regards,
Moritz Angermann

1. Re: Using JAAS in a Servlet? No Pricipal propagation?!

mrmo Aug 1, 2005 1:57 PM (in response to mrmo)

Ohh forgot: I'm using 4.0.2+jbas-1875-patch

kindest regards,
Moritz Angermann
Actions
2. Re: Using JAAS in a Servlet? No Pricipal propagation?!

tcherel Aug 1, 2005 3:45 PM (in response to mrmo)

There are tons of threads on this subject in the forum.

If you are doing you own JAAS login in your servlet code, you will need to make sure that ClientLoginModule is part of the JAAS configuration you are using ("domain" according to your code below) for the propagation to happen.

But you also need to realize that you will have to do the JAAS login at every requests if you write it by yourself.

It is much better to let the container do the authentication for you (using BASIC or FORM based authentication for your web app) as it will associate the security context with the HTTP session.

Thomas
Actions
3. Re: Using JAAS in a Servlet? No Pricipal propagation?!

mrmo Aug 1, 2005 4:46 PM (in response to mrmo)

Thanks for the answer Tomas.
Well I tried to look it all up running google queries all over the place... hmm...
What I wanted was:

#1 login
#2 call methods
#3 logout

so the natural way seemd to use the JAAS login when the user arrivs and logging him out once he goes.

The thing i wanted to implements was some soft-user-tracking.
so the user has no password and is idientified by his id (stored in a cookie) only. I know I have to watch out for buggy browser and XSS. But this is supposed to not be implemented on any *harmful* cases anyway.

Thanks for the answer I'll look into the BASIC and FORM base auth.

It whould be nice though if you could elaborate on that ClientLoginModule part a bit or hint me to a thread I did not find.

kindest regards,
Moritz Angermann
Actions
4. Re: Using JAAS in a Servlet? No Pricipal propagation?!

tcherel Aug 1, 2005 4:52 PM (in response to mrmo)

Basically, your servlet is a client to your EJBs.
With JBoss, if a client is doing an explicit JAAS login, the established security context is propagated to the backend EJBs only if you have the JBoss ClientLoginModule as part of your JAAS configuration.

I am assuming that you edited the login-config.xml fo JBoss to create your "domain" JAAS configuration.
This configuration needs to look like that:

domain {
...... //Any other login module that you might require.
org.jboss.security.ClientLoginModule required;
};

The ClientLoginModule at the end of your JAAS module stack will basically make sure that the security context is propagated to backend EJBs.

In your scenario:

#1 login
#2 call methods
#3 logout

If this is all one single HTTP request, then what you are doing is fine.
If the #2 must spawn multiple HTTP requests, it is definitely better to let the container (Tomcat/JBoss) do the authentication for you through BASIC or FORM based authentication.

Thomas
Actions
5. Re: Using JAAS in a Servlet? No Pricipal propagation?!

mrmo Aug 1, 2005 5:21 PM (in response to mrmo)

That you Very much.
I'm writing a blog system (just for fun and learning).
So I'll have my dispatch servlet wich will do all requests. that need autorithation.
and care for login only in case the required actions need auth.

Btw: is there a way I can ship my login-config with my ear? or do I have to edit the one in server/default/config over and over?

Another question: though not completely JAAS related.
I have my setup of a User-Group-Role database schema with CMP EJB's...
now say I have 3 projects. I could a) extend them to include the 'domain' field. or put them into different tables. But Jboss doesn't allow me to have 2 ear's with the same Beans. :( So I must name them UserBean or something.

thank you.
kindest regards,
Moritz Angermann
Actions
6. Re: Using JAAS in a Servlet? No Pricipal propagation?!

tcherel Aug 1, 2005 5:30 PM (in response to mrmo)

For the login config, take a look at http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig.
The JBossSX Wiki pages are actually a good JBoss security resource for documentation.

Not sure I understand the second question. I am not Entity bean expert but Iw ill be surprised that you can not use the same entity beans between two ears (but may you can't, I really do not know).

Thomas
Actions

7. Re: Using JAAS in a Servlet? No Pricipal propagation?!

mrmo Aug 1, 2005 7:11 PM (in response to mrmo)

Thanks again Tomas. And sorry to bug you once more :/

well I now got the DynamicLoginConfig setup and my login-confix.xml too.

login-config.xml

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
 "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
 <!-- Security domain for mog/moog/stub -->
 <application-policy name = "stub">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "dsJndiName">java:/mogDS</module-option>
 <module-option name = "principalsQuery">SELECT password FROM mooguser WHERE name=?</module-option>
 <module-option name = "rolesQuery">SELECT r.name, 'Roles' FROM moogrole r LEFT JOIN group_role gr ON r.id=gr.role_id LEFT JOIN mooggroup
g ON
gr.group_id=g.id LEFT JOIN user_group ug ON g.id=ug.group_id LEFT JOIN user_role ur ON r.id=ur.role_id LEFT JOIN mooguser u ON (ug.user_id=u.id OR
ur.user_id=u.id) WHERE u.name = ?</module-option>
 </login-module>
 <login-module code = " org.jboss.security.ClientLoginModule" flag = "required"></login-module>
 </authentication>
 </application-policy>
</policy>

And I know for sure it's loaded.
becase I can run lc.login from within my servlet and get a valid subject back.

now whenever I try to access a Bean I get:
[UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found

so somehow it's not picking up my domain :( // the UserRolesLoginModule is the one that is in the server login-config.xml

kindest regards,
Moritz Angermann

8. Re: Using JAAS in a Servlet? No Pricipal propagation?!

mrmo Aug 1, 2005 7:43 PM (in response to mrmo)

WHEEEE! It worked!
wow. that was tough ;)

thanks a ton Tomas.

was my mistake a spelling error in the jboss.xml

kindest regards,
Moritz Angermann
Actions

Go to original post