5 Replies Latest reply on Sep 17, 2005 7:38 AM by jaikiran

    standalone EJB client and JASS

    wats
    wats Sep 15, 2005 6:33 PM

      Hello,

      I'm developing a simple standalone EJB client. I was trying to set up security using JASS, but I encountered some problems with authorization. I tried using DatabaseServerLoginModule, but it seems it is not able to acces the DataSource in the application server.
      So my question is - is there a simple way to perform authorization from a standalone client, or do I have to create my own version of DatabaseServerLoginModule which connects to a database directly ?

      I would be very grateful, if someone could give me a hint on this.
      Martin.

      • 2821 Views
      • Tags:
        • 1. Re: standalone EJB client and JASS
          jaikiran
          jaikiran Sep 16, 2005 5:29 AM (in response to wats)

          Hi,
          You can use the "client-login" LoginModule for the JAAS login. As you mention, that this is a standalone client accessing an ejb, you would require a file(say myLogin.conf) containing the login modules as follows:

          client-login{
 org.jboss.security.ClientLoginModule required;
 };

 other{
 org.jboss.security.auth.spi.UsersRolesLoginModule required;
 };


          In your code, you will do a JAAS login as follows: 


          final String authFile = "myLogin.conf";
 System.setProperty("java.security.auth.login.config", authFile);
 //System.setProperty("java.security.auth.login.config","jaas.crm");
 MyCallbackHandler handler = new MyCallbackHandler(userName,password);
 LoginContext lc = new LoginContext("client-login",handler);
 lc.login();


          You would require a callback handler which will verify the username and password: 

          public class MyCallbackHandler implements CallbackHandler {

 /**
 * Username which will be set in the NameCallback, when NameCallback is handled
 */
 private String username;

 /**
 * Password which will be set in the PasswordCallback, when PasswordCallback is handled
 */
 private String password;

 /**
 * Constructor
 * @param username The username
 * @param password The password
 */
 public MyCallbackHandler(String username, String password) {
 this.username = username;
 this.password = password;
 }

 /**
 * @param callbacks Instances of Callback<i>s</i>
 * @throws IOException IOException
 * @throws UnsupportedCallbackException If Callback is other than NameCallback or PasswordCallback
 */
 public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

 for (int i = 0; i < callbacks.length; i++) {
 if (callbacks instanceof NameCallback) {
 //if the Callback is for NameCallback, then set the name of the NameCallback to 'userName'
 NameCallback nc = (NameCallback) callbacks;
 nc.setName(username);

 } else if (callbacks instanceof PasswordCallback) {
 //if the Callback is for PasswordCallback, then set the name of the PasswordCallback to 'password'
 PasswordCallback pc = (PasswordCallback) callbacks;
 pc.setPassword(password.toCharArray());

 } else {
 //if Callback is NOT NameCallback or PasswordCallback then throw UnsupportedCallbackException
 throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback");
 }
 }
 }
 }




            • Actions
          • 2. Re: standalone EJB client and JASS
            wats
            wats Sep 16, 2005 6:33 AM (in response to wats)

            Hello,

            Thanks jaikiran for your help, but the solution you posted is not what I was looking for. I was using similiar code in my app (ClientLoginModule etc.) and also tested yours, but the authentication seems to work every time, whatever the login/pass values are. If the login information is not valid there is an Authentication failure exception, but only after I try to access EJB methods. I would rather that the exception occured after:

            lc.login();


            Is there an easy way to accomplish that ?


            I'm using DynamicLoginConfig with DatabaseServerLoginModule on the server

            ehelp-login-service.xml 
             <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="ehelp:service=DynamicLoginConfig">
 <attribute name="AuthConfig">ehelp-login-config.xml</attribute>
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>


            ehelp-login-config.xml 
            <policy>
 <application-policy name="ehelp">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
 flag="required">
 <module-option name="unauthenticatedIdentity">VIEWER</module-option>
 <module-option name="dsJndiName">java:/PostgresDS</module-option>
 <module-option name="principalsQuery">
 select hashedpassword from EMPLOYEES where login=?
 </module-option>
 <module-option name="rolesQuery">
 select privelages, 'Roles' from EMPLOYEES where login=?
 </module-option>
 <module-option name="hashAlgorithm">MD5</module-option>
 <module-option name="hashEncoding">BASE64</module-option>
 </login-module>
 </authentication>
 </application-policy>
</policy>


            Thanks in advance...
            Martin.

              • Actions
            • 3. Re: standalone EJB client and JASS
              jaikiran
              jaikiran Sep 16, 2005 6:51 AM (in response to wats)

              Ya, you are right, that code wont be working for the requirement you are mentioning.

              "wats" wrote:
              I tried using DatabaseServerLoginModule, but it seems it is not able to acces the DataSource in the application server.


              Whats the exact problem you are facing while using DatabaseServerLoginModule. Can you post relevant extracts from your jaas login code?

                • Actions
              • 4. Re: standalone EJB client and JASS
                wats
                wats Sep 16, 2005 7:16 AM (in response to wats)

                When I try to use DatabaseServerLoginModule defined in the following local myLogin.conf file

                ehelp {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/PostgresDS"
principalsQuery="select hashedpassword from EMPLOYEES where login=?"
rolesQuery="select privelages, 'Roles' from EMPLOYEES where login=?"
unauthenticatedIdentity=VIEWER
hashAlgorithm=MD5
hashEncoding=BASE64
;
}


                the following exception occurs when executing "lc.login();" 

                javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: PostgresDS not bound


                Now, I'm not sure whether it is allowed to access JCA DataSource outside of the application server at all...

                Martin.

                  • Actions
                • 5. Re: standalone EJB client and JASS
                  jaikiran
                  jaikiran Sep 17, 2005 7:38 AM (in response to wats)

                  Datasources are not available outside the virtual machine

                    • Actions