5 Replies Latest reply on Oct 25, 2005 11:48 AM by elkner

passwo

erik777 Oct 24, 2005 11:11 AM

I'm trying to get simple login to remote EJBs to work using the Duke example, putting the properties files in the EJB module.

The problem is that even though I set the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS when obtaining the home inteface, a trace of org.jboss.security indicates that it sees the user id and password as null.

Here's the trace:

2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(nmsBusinessServices), size=8
2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(nmsBusinessServices), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=jar:file:/home/esliman/programs/jboss/jboss-4.0.2_newtest/server/default/tmp/deploy/tmp3568nmsBusinessServices.ear-contents/nmsProviderServiceEJBs.jar!/users.properties, defaults=null
2005-10-24 10:45:10,388 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[duke, java]
2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=jar:file:/home/esliman/programs/jboss/jboss-4.0.2_newtest/server/default/tmp/deploy/tmp3568nmsBusinessServices.ear-contents/nmsProviderServiceEJBs.jar!/roles.properties, defaults=null
2005-10-24 10:45:10,388 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[duke, java, java.CallerPrincipal, duke.CallerPrincipal]
2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Authenticating as unauthenticatedIdentity=null
2005-10-24 10:45:10,389 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=null
2005-10-24 10:45:10,389 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
2005-10-24 10:45:10,389 TRACE [org.jboss.security.plugins.JaasSecurityManager.nmsBusinessServices] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:166)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:136)

You can see from the trace that it successfully loads the properties files. The "Authenticating as unauthenticatedIdentity=null" output also indicates that the username and password are null, as the source code shows that this is what triggers this output:

 if( username == null && password == null )
 {
 identity = unauthenticatedIdentity;
 super.log.trace("Authenticating as unauthenticatedIdentity="+identity);
 }

1. Re: Simple users/roles login to EJBs not passing username/pa

erik777 Oct 24, 2005 4:22 PM (in response to erik777)

I got a little further when I found this wiki page:

http://www.jboss.org/wiki/Wiki.jsp?page=LoginInitialContextFactory

The question is, what exactly does SECURITY_PROTOCOL map to? No matter what I try, I get the following:

java.lang.SecurityException: Unable to locate a login configuration
 at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
 at java.lang.Class.newInstance0(Class.java:350)
 at java.lang.Class.newInstance(Class.java:303)
 at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
 at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
 at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
 at org.jboss.security.jndi.LoginInitialContextFactory.getInitialContext(LoginInitialContextFactory.java:69)
 at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
 at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
 at javax.naming.InitialContext.init(InitialContext.java:223)
 at javax.naming.InitialContext.<init>(InitialContext.java:197)
 at com.domain.services.JNDIClientUtil.lookupHome(JNDIClientUtil.java:22)

2. Re: Simple users/roles login to EJBs not passing username/pa

tim.cockle Oct 25, 2005 9:12 AM (in response to erik777)

Sounds like you need to set up the jaas.conf / auth.conf files. I have not used this example though so can't be of much help.

you should have one in client/auth.conf

I had this problem when setting up a remote client I found this helpfull:
http://www.awprofessional.com/articles/article.asp?p=394898

Good luck

Tim
Actions
3. Re: Simple users/roles login to EJBs not passing username/pa

erik777 Oct 25, 2005 10:21 AM (in response to erik777)
Thanks a million. That pushed me closer. I created a jaas.conf containing:

JaasJNDI { com.sun.security.auth.module.JndiLoginModule required; };

and confirmed in debug mode that it loads the configuration.

It gets past the point where it threw an exception trying to extablish a context in org.jboss.security.jndi.LoginInitialContextFactory.java because it couldn't find a configuration,

LoginContext lc = new LoginContext(protocol, handler);

and now fails on the next line where it tries to login:

lc.login();

with this exception:

javax.security.auth.login.LoginException: Error: Unable to locate JNDI user provider

Although I have trace enabled in JBoss for org.jboss.security, nothing is output when this happens, so I'm not sure if it actually tries to talk to the server at this point.

The JNDI URL for the home interface is correct, as it succeeds to invoke the session beans that don't require authorized users of roles when the JNDI SECURITY_ parameters are not supplied or do not prevent creation of the home interface.
Actions
4. Re: Simple users/roles login to EJBs not passing username/pa

erik777 Oct 25, 2005 10:35 AM (in response to erik777)
WOW! I got it. Thanks to the post of tineq I noted that he was using

p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");

whereas I was using org.jboss.security.jndi.LoginInitialContextFactory per the recommendation of

http://wiki.jboss.org/wiki/Wiki.jsp?page=LoginInitialContextFactory

What do you know, I just plugged and found a

http://wiki.jboss.org/wiki/Wiki.jsp?page=JndiLoginInitialContextFactory

page!

With this class, you don't need to use Context.SECURITY_PROTOCOL or setup jaas.conf on the client. It's as easy as it looks.

Both classes are in the 4.0.2 source. I'm not sure at this poitn whe you'd use the class without the Jndi prefix, but it's looking more like a base class rather than a class you'd want to use directly. Perhaps it's needed for some things like LDAP.

Anyway, thanks for your help tim.cockle; and your inadvertant help tineq! Hopefully someone else can benefit from the this thread.
Actions

5. Re: Simple users/roles login to EJBs not passing username/pa

elkner Oct 25, 2005 11:48 AM (in response to erik777)

I use usually a simpler approach:

public static InitialContext getInitialContext(...)
 throws NamingException
 {
 String trailer = ("http".equals(proto) || "https".equals(proto))
 ? "/invoker/JNDIFactory"
 : null;
 URI uri = null;
 try {
 uri = new URI(proto, null, host, port, trailer, null, null);
 } catch (Exception e) {
 log.warn(e.getLocalizedMessage());
 if (log.isDebugEnabled()) {
 log.debug("getPreferredContextValues", e);
 }
 }
 if (uri == null) {
 throw new IllegalArgumentException("invalid values");
 }
 String url = uri.getScheme() + "://" + uri.getHost() + ":" + uri.getPort();
 if (uri.getPath() != null && uri.getPath().length() > 0) {
 url += uri.getPath();
 }
 String factory = "org.jnp.interfaces.NamingContextFactory";
 if ("http".equals(uri.getScheme()) || "https".equals(uri.getScheme())) {
 factory = "org.jboss.naming.HttpNamingContextFactory";
 }
 Properties props = new Properties();
 // java.naming.factory.initial
 props.put(Context.INITIAL_CONTEXT_FACTORY, factory);
 // java.naming.factory.url.pkgs
 props.put(Context.URL_PKG_PREFIXES,
 "org.jboss.naming:org.jnp.interfaces");
 // java.naming.provider.url
 props.put(Context.PROVIDER_URL, url);
 // jnp.disableDiscovery
 props.put(JNP_DISCOVERY,
 !Misc.differentStrings(System.getProperty(JNP_DISCOVERY), "true"));
 return new InitialContext(props);
 }
...
 // login
 SecurityAssociation.setPrincipal(new SimplePrincipal(name));
 SecurityAssociation.setCredential(password);
 InitialContext ctx = getInitialContext(...);
...
 // logout
 SecurityAssociation.clear();

Go to original post