5 Replies Latest reply on Feb 17, 2006 11:48 AM by j2ee_junkie

    jaas without LoginContext

    pi1

      I'm new with jaas+jboss.
      So the problem is: can i invoke method on ejb without using LoginContext.login(); I have something like that in my
      jboss-web.xml:
      ...
      <security-role>
      <role-name>Role1</role-name>
      <principal-name>Principal1</principal-name>
      </security-role>


      <servlet-name>action</servlet-name>
      <run-as-principal>Principal</run-as-principal>

      ...

      in my ejb-jar.xml:
      ...

      ...
      <ejb-name>EJB1</ejb-name>
      ...
      <security-identity>
      <use-caller-identity />
      </security-identity>


      <assembly-descriptor >
      <security-role>
      <role-name>Role1</role-name>
      </security-role>

      <method-permission >
      <role-name>Role1</role-name>

      <ejb-name>EJB1</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      </assembly-descriptor>

      in my jboss.xml:
      ...
      <assembly-descriptor>
      <security-role>
      <role-name>Role1</role-name>
      <principal-name>Principal1</principal-name>
      </security-role>
      </assembly-descriptor>
      ...

      When I try to invoke something like EJB1Home.create I get SecurityException : Insufficient method permissions, principal=[roles=[Role1],principal=Principal1], ejbName=EJB1, method=create, interface=HOME, requiredRoles=[Role1], principalRoles=null

      ?Why principalRoles=null?


        • 1. Re: jaas without LoginContext
          j2ee_junkie

          Hello,

          First off, I think the way the jboss-web.xml's security-role config works is that it will add role A (where A specified by role-name element) to the principal B (where B specified by principal-name). What this means is that a user must authenticate as principal B then JBoss will add role A to there role set. You still need to authenticate principal B though. If you just want to do some testing you can use the IdentityLoginModule as described in Chapter 8 of the server guide.

          Also, usually you do not need to use LoginContext.login(). This code is performed by JBoss's AuthenticationManager.

          let me know if you need more detail, cgriffith

          • 2. Re: jaas without LoginContext
            pi1

            Hi, thanks for your reply j2ee_junkee. But the situation is not clear for me. OK, first i login - this establishes my principal and credential with ClientLoginModule. During deployment everything seems to be good. Application initializes, at the same time using secured EJBs (for security domain i use UsersRolesLoginModule). Seems everithing ok. So, when client starts application, servlets go with principal anonymous, or with some principal B and role A (as in previous example) in RunAsIdentity, as i define in jboss-web.xml. But for the RunAsIdentity credential=null. Should i login in servlet every time i want to invoke secured EJBs. Please help me to understand the situation.

            • 3. Re: jaas without LoginContext
              j2ee_junkie

              O.K. I will try this again. I read your first post a few more times and tried to better understand your situation. From what I see...

              If you want a principal of your application to be assigned role "Role1", then (as per your configuration) a user must authenticate as principal "Principal1".
              To be more specific, a user must log in with username = "Principal1" acording to your config. Is this the case?

              Another issue is that your servlet is told to run as "Principal". So even if a user logs in with username = "Principal1" and assinged role "Role1", the servlet (which is actually calling the EJB) is set to run with as a different principal.

              However, all that being the case, the error message you have posted does not jive with any of this.



              • 4. Re: jaas without LoginContext
                pi1

                Hi, thanks for your attention, it was mistype (sorry, i also mistyped your nickname), code goes as an example of my situation.
                jboss-web.xml goes like this:
                ...
                <security-role>
                <role-name>Role1</role-name>
                <principal-name>Principal1</principal-name>
                </security-role>


                <servlet-name>action</servlet-name>
                <run-as-principal>Principal1</run-as-principal>

                ...

                For the rest i think all correct. So i have not resolved the problem with run-as for servlets.
                As for now i get it work like that:
                Properties p = new Properties();
                p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.LoginInitialContextFactory");
                p.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
                p.put(Context.PROVIDER_URL, "jnp://" + strServer + ":1099");
                p.put(Context.SECURITY_PRINCIPAL, strLogin);
                p.put(Context.SECURITY_CREDENTIALS, strPassword);
                p.put(Context.SECURITY_PROTOCOL, "client-login");
                InitialContext ctx = new InitialContext(p);
                Object home = ctx.lookup(SomeHome.JNDI_NAME);

                Where client-login - ClientLoginModule in my login-config.xml, for security domain i use configuration with UserRolesLoginModule.
                I left all servlets without <run-as>, and it seems to work. But this workaround is not suitable for me. Can you help me please how to store principal and credential for the application scope, but not for single servlet.

                • 5. Re: jaas without LoginContext
                  j2ee_junkie

                  Pi1,

                  When a user attempts to access your web app., what login-config do they use?

                  When the servlet (without the code below that creates the InitialContext) is run, what login-config is being used to log servlet into the JBoss AS?

                  You mention UserRolesLoginModule, but you do not mention what domain it is being used in. And it would be nice to know the principal name being used by this module.

                  when you do use the code below in your servlet that creates an InitialContext, what is the value of strLogin?

                  Are you using servlet container managed security?

                  cgriffith