-
1. Re: standalone EJB client and JASS
jaikiran Sep 16, 2005 5:29 AM (in response to wats)Hi,
You can use the "client-login" LoginModule for the JAAS login. As you mention, that this is a standalone client accessing an ejb, you would require a file(say myLogin.conf) containing the login modules as follows:client-login{ org.jboss.security.ClientLoginModule required; }; other{ org.jboss.security.auth.spi.UsersRolesLoginModule required; };
In your code, you will do a JAAS login as follows:final String authFile = "myLogin.conf"; System.setProperty("java.security.auth.login.config", authFile); //System.setProperty("java.security.auth.login.config","jaas.crm"); MyCallbackHandler handler = new MyCallbackHandler(userName,password); LoginContext lc = new LoginContext("client-login",handler); lc.login();
You would require a callback handler which will verify the username and password:public class MyCallbackHandler implements CallbackHandler { /** * Username which will be set in the NameCallback, when NameCallback is handled */ private String username; /** * Password which will be set in the PasswordCallback, when PasswordCallback is handled */ private String password; /** * Constructor * @param username The username * @param password The password */ public MyCallbackHandler(String username, String password) { this.username = username; this.password = password; } /** * @param callbacks Instances of Callback<i>s</i> * @throws IOException IOException * @throws UnsupportedCallbackException If Callback is other than NameCallback or PasswordCallback */ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks instanceof NameCallback) { //if the Callback is for NameCallback, then set the name of the NameCallback to 'userName' NameCallback nc = (NameCallback) callbacks; nc.setName(username); } else if (callbacks instanceof PasswordCallback) { //if the Callback is for PasswordCallback, then set the name of the PasswordCallback to 'password' PasswordCallback pc = (PasswordCallback) callbacks; pc.setPassword(password.toCharArray()); } else { //if Callback is NOT NameCallback or PasswordCallback then throw UnsupportedCallbackException throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback"); } } } }
-
2. Re: standalone EJB client and JASS
wats Sep 16, 2005 6:33 AM (in response to wats)Hello,
Thanks jaikiran for your help, but the solution you posted is not what I was looking for. I was using similiar code in my app (ClientLoginModule etc.) and also tested yours, but the authentication seems to work every time, whatever the login/pass values are. If the login information is not valid there is an Authentication failure exception, but only after I try to access EJB methods. I would rather that the exception occured after:lc.login();
Is there an easy way to accomplish that ?
I'm using DynamicLoginConfig with DatabaseServerLoginModule on the server
ehelp-login-service.xml<mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="ehelp:service=DynamicLoginConfig"> <attribute name="AuthConfig">ehelp-login-config.xml</attribute> <depends optional-attribute-name="LoginConfigService"> jboss.security:service=XMLLoginConfig </depends> <depends optional-attribute-name="SecurityManagerService"> jboss.security:service=JaasSecurityManager </depends> </mbean>
ehelp-login-config.xml<policy> <application-policy name="ehelp"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">VIEWER</module-option> <module-option name="dsJndiName">java:/PostgresDS</module-option> <module-option name="principalsQuery"> select hashedpassword from EMPLOYEES where login=? </module-option> <module-option name="rolesQuery"> select privelages, 'Roles' from EMPLOYEES where login=? </module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">BASE64</module-option> </login-module> </authentication> </application-policy> </policy>
Thanks in advance...
Martin. -
3. Re: standalone EJB client and JASS
jaikiran Sep 16, 2005 6:51 AM (in response to wats)Ya, you are right, that code wont be working for the requirement you are mentioning.
"wats" wrote:
I tried using DatabaseServerLoginModule, but it seems it is not able to acces the DataSource in the application server.
Whats the exact problem you are facing while using DatabaseServerLoginModule. Can you post relevant extracts from your jaas login code? -
4. Re: standalone EJB client and JASS
wats Sep 16, 2005 7:16 AM (in response to wats)When I try to use DatabaseServerLoginModule defined in the following local myLogin.conf file
ehelp { org.jboss.security.auth.spi.DatabaseServerLoginModule required dsJndiName="java:/PostgresDS" principalsQuery="select hashedpassword from EMPLOYEES where login=?" rolesQuery="select privelages, 'Roles' from EMPLOYEES where login=?" unauthenticatedIdentity=VIEWER hashAlgorithm=MD5 hashEncoding=BASE64 ; }
the following exception occurs when executing "lc.login();"javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: PostgresDS not bound
Now, I'm not sure whether it is allowed to access JCA DataSource outside of the application server at all...
Martin. -
5. Re: standalone EJB client and JASS
jaikiran Sep 17, 2005 7:38 AM (in response to wats)Datasources are not available outside the virtual machine