5 Replies Latest reply on Oct 31, 2005 5:24 PM by jh9999

Form Authentication

jh9999 Oct 31, 2005 12:43 PM

I would like to start by stating that im a beginer in Jaas security, I have read Mr. Stark's Howto and implemented the example with no problem using <auth-method>BASIC</auth-method> however when I have changed the login-config to <auth-method>FORM</auth-method> the Echo (EchoUser) role is no longer propagating to the echo method in PublicSession ejb.

here is my code:

web.xml

...
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Restricted</web-resource-name>
 <description>Declarative security tests</description>
 <url-pattern>/restricted/*</url-pattern>
 <http-method>HEAD</http-method>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>PUT</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>Echo</role-name>
 </auth-constraint>
 <user-data-constraint>
 <description>no description</description>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/login.jsp</form-login-page>
 <form-error-page>/error.jsp</form-error-page>
 </form-login-config>
 </login-config>

 <security-role>
 <description>A user allowed to invoke echo methods</description>
 <role-name>Echo</role-name>
 </security-role>
...

ejb-jar.xml

 <enterprise-beans>
 <session>
 <description>A trival stateless session echo bean</description>
 <ejb-name>PublicSession</ejb-name>
 <home>org.jboss.docs.jaas.howto.SessionHome</home>
 <remote>org.jboss.docs.jaas.howto.Session</remote>
 <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class>
 <session-type>Stateless</session-type>
 <transaction-type>Container</transaction-type>
 <ejb-ref>
 <ejb-ref-name>ejb/PrivateSession</ejb-ref-name>
 <ejb-ref-type>Session</ejb-ref-type>
 <home>org.jboss.docs.jaas.howto.SessionHome</home>
 <remote>org.jboss.docs.jaas.howto.Session</remote>
 <ejb-link>PrivateSession</ejb-link>
 </ejb-ref>
 <security-role-ref>
 <role-name>EchoUser</role-name>
 <role-link>Echo</role-link>
 </security-role-ref>
 <security-identity>
 <run-as>
 <role-name>InternalUser</role-name>
 </run-as>
 </security-identity>
 </session>

the problem is that in the EJBServlet.java request.isUserInRole("EchoUser") returns false instead of true but when authentication is Basic it returns true

here is a slice of the error stack:

11:57:56,082 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo
], principalRoles=[]
11:57:56,082 ERROR [LogInterceptor] EJBException in method: public abstract java.lang.String org.jboss.docs.jaas.howto.Session.echo(java.lan
g.String) throws java.rmi.RemoteException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo], principal
Roles=[]

How can I fix this problem, Please advise?

1. Re: Form Authentication

wiley173 Oct 31, 2005 12:54 PM (in response to jh9999)

I'm not an expert here either but are your users.properties and roles.properties files in the /default/conf directory ? And is EchoUser in them ?
Actions
2. Re: Form Authentication

jh9999 Oct 31, 2005 1:37 PM (in response to jh9999)

The example code is still the same, users.properties and roles.properties files are placed into the ssbean1.jar as defined in build.xml and the EchoUser is defined in the ejb-jar.xml:

security-role-ref >> role-name is EchoUser role-link is Echo

this works with Basic Authentication, it does not work with Form authentication. whether I use jaas-example1 (UsersRolesLoginModule) using property files or I use jaas-example2 (DatabaseServerLoginModule) database, same result.

Help is kindly appreciated.
Actions
3. Re: Form Authentication

wiley173 Oct 31, 2005 3:35 PM (in response to jh9999)

Right but now your using form authentication....

There is no EchoUser using BASIC authentication ...

now you have to put them in the /default/conf directory for FORM authentication to work correctly ...
Actions
4. Re: Form Authentication

wiley173 Oct 31, 2005 3:36 PM (in response to jh9999)

oops I meant ...

there is no EchoUser using FORM authentication ....
Actions
5. Re: Form Authentication

jh9999 Oct 31, 2005 5:24 PM (in response to jh9999)
Hi again,

I have changed default\conf users.properties and roles.properties as advised, I have also verified that it matches the jaas_howto\conf (jaas_howto is new Server Name). They are listed below :

users.properties

# The username to password mapping properties file
java=echoman
duke=javaman

# The username to role(s) mapping properties file
java=Echo
duke=Java,Coder
java.CallerPrincipal=caller_java
duke.CallerPrincipal=caller_duke

I am still getting the same error message in console, below:

17:04:25,896 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo
], principalRoles=[]
17:04:25,906 ERROR [LogInterceptor] EJBException in method: public abstract java.lang.String org.jboss.docs.jaas.howto.Session.echo(java.lan
g.String) throws java.rmi.RemoteException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo], principal
Roles=[]
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)

here is my simple login form:
<form name="myForm" method="post" action="j_security_check"> <table width="100%" border="0" cellspacing="1"> <tr> <td colspan="2"><h2 align="center">Login Page</h2></td> </tr> <tr> <td width="17%"> User Name:</td> <td width="83%"> <input type='text' name='j_username'></td> </tr> <tr> <td> Password:</td> <td> <input type='password' name='j_password'></td> </tr> <tr> <td> </td> <td><input type='submit' value='login' alt="log in" ></td> </tr> </table> </form>

I have even changed <role-name> to match <role-link> in ejb-jar.xml:
<session> <description>A trival stateless session echo bean</description> <ejb-name>PublicSession</ejb-name> <home>org.jboss.docs.jaas.howto.SessionHome</home> <remote>org.jboss.docs.jaas.howto.Session</remote> <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Container</transaction-type> <ejb-ref> <ejb-ref-name>ejb/PrivateSession</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>org.jboss.docs.jaas.howto.SessionHome</home> <remote>org.jboss.docs.jaas.howto.Session</remote> <ejb-link>PrivateSession</ejb-link> </ejb-ref> <security-role-ref> <role-name>Echo</role-name> <role-link>Echo</role-link> </security-role-ref> <security-identity> <run-as> <role-name>InternalUser</role-name> </run-as> </security-identity> </session>

the callEcho method in EJBServlet.java is not propagating to the PublicSessionBean echo method. still even though method permission in ejb-jar.xml allows the Echo Role:

<method-permission> <role-name>Echo</role-name> <method> <ejb-name>PublicSession</ejb-name> <method-name>*</method-name> </method> </method-permission>

also the login-config.xml is unchanged and it is located in the Server Name: jaas_howto.

Help is kindly appreciated.
Actions

Go to original post