1 2 Previous Next 17 Replies Latest reply on Apr 7, 2006 7:22 AM by dhartford

web-tier to intialcontext remote ejb3 call

dhartford Feb 20, 2006 8:38 AM

Hey all,
I have a web application configured with web.xml <security-constraints> and jboss-web.xml that points to a 'testSecurity' realm. The webapp works fine, as expected, with requiring logins, roles, and using ClientLoginModule, etc.

I have a secured, ejb3 running on a different server (happens to be pointing to the same configured realm, but shouldn't matter as long as principal/credentials fly). Also has ClientLoginModule configured. I can call my ejb3 remotely (even from the webapp server), and with different credentials get different behavior so it is working as expected:

 Properties env = new Properties();
 env.setProperty(Context.SECURITY_PRINCIPAL, "username");
 env.setProperty(Context.SECURITY_CREDENTIALS, "password");
 env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
 InitialContext ctx = new InitialContext(env);

MyClass mc = (MyClass)ctx.lookup("MyClassBean/remote");

However, when I copy this exact code to a JSF backing bean, it works. When I comment out principal and credentials to use the web-tier jaas principal/credentials this doesn't work. When I try using SecurityAssociation directly, principal and credentials are nulls.

I've seen discussions about using a Tomcat Valve for a fix, requiring a Callbackhandler for a fix, something about the JAAS only working on the current thread and not the session and related workarounds, etc. Any recommendations for a 'clean' fix that shouldn't break on me later?

jboss-4.0.4RC1 on both ejb3 and webapp servers.

Thanks,
-D

1. Re: web-tier to intialcontext remote ejb3 call

dhartford Feb 24, 2006 10:22 AM (in response to dhartford)

I'm stretching here, but could this be related to http://jira.jboss.com/jira/browse/JBAS-2311 ?
Actions

2. Re: web-tier to intialcontext remote ejb3 call

dhartford Feb 24, 2006 11:38 AM (in response to dhartford)

I found references to using the clientLoginModule in 'multi-threaded' mode, so added those configurations to the webapp jboss server:

<login-module code="org.jboss.security.ClientLoginModule" flag="required">
 <module-option name="multi-threaded">true</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
</login-module>

I also enabled security debugging, and here is the error:

11:26:00,012 ERROR [STDERR] java.lang.NullPointerException
11:26:00,012 ERROR [STDERR] at org.jboss.security.jndi.JndiLoginInitialContextFactory.getInitialContext(JndiLoginInitialContextFacto
ry.java:75)
11:26:00,012 ERROR [STDERR] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
11:26:00,012 ERROR [STDERR] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
11:26:00,012 ERROR [STDERR] at javax.naming.InitialContext.init(InitialContext.java:223)
11:26:00,012 ERROR [STDERR] at javax.naming.InitialContext.<init>(InitialContext.java:197)
11:26:00,012 ERROR [STDERR] at com.ghsinc.web.roleeditor.SessionBean01.getAuthorizationManager(Unknown Source)
11:26:00,012 ERROR [STDERR] at com.ghsinc.web.roleeditor.GeneralBackingBean.<init>(Unknown Source)
11:26:00,012 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
11:26:00,012 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
11:26:00,012 ERROR [STDERR] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
11:26:00,012 ERROR [STDERR] at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
11:26:00,012 ERROR [STDERR] at java.lang.Class.newInstance0(Class.java:350)
11:26:00,012 ERROR [STDERR] at java.lang.Class.newInstance(Class.java:303)
11:26:00,012 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:204)
11:26:00,012 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:48)
11:26:00,012 ERROR [STDERR] at com.sun.faces.config.ManagedBeanFactory.newInstance(ManagedBeanFactory.java:203)
11:26:00,012 ERROR [STDERR] at com.sun.faces.application.ApplicationAssociate.createAndMaybeStoreManagedBeans(ApplicationAssociate.j
ava:256)
11:26:00,012 ERROR [STDERR] at com.sun.faces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:78)
11:26:00,012 ERROR [STDERR] at com.sun.faces.el.impl.NamedValue.evaluate(NamedValue.java:125)
11:26:00,012 ERROR [STDERR] at com.sun.faces.el.impl.ComplexValue.evaluate(ComplexValue.java:146)
11:26:00,012 ERROR [STDERR] at com.sun.faces.el.impl.ExpressionEvaluatorImpl.evaluate(ExpressionEvaluatorImpl.java:243)
11:26:00,012 ERROR [STDERR] at com.sun.faces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:173)
11:26:00,012 ERROR [STDERR] at com.sun.faces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:154)
11:26:00,012 ERROR [STDERR] at com.sun.faces.application.ApplicationImpl.createComponent(ApplicationImpl.java:386)
11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.createComponent(UIComponentTag.java:1009)
11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.createChild(UIComponentTag.java:1036)
11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.findComponent(UIComponentTag.java:749)
11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:429)
11:26:00,012 ERROR [STDERR] at com.sun.faces.taglib.html_basic.InputTextTag.doStartTag(InputTextTag.java:506)
11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspx_meth_h_inputText_0(org.apache.jsp.main_jsp:251)
11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspx_meth_h_form_0(org.apache.jsp.main_jsp:193)
11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspx_meth_f_view_0(org.apache.jsp.main_jsp:145)
11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspService(org.apache.jsp.main_jsp:108)
11:26:00,012 ERROR [STDERR] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
11:26:00,012 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
11:26:00,012 ERROR [STDERR] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
11:26:00,012 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
11:26:00,012 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
11:26:00,012 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:463)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
11:26:00,027 ERROR [STDERR] at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:322)
11:26:00,027 ERROR [STDERR] at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:130)
11:26:00,027 ERROR [STDERR] at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:87)
11:26:00,027 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
11:26:00,027 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:117)
11:26:00,027 ERROR [STDERR] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:198)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:463)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
11:26:00,027 ERROR [STDERR] at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:693)
11:26:00,027 ERROR [STDERR] at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:660)
11:26:00,027 ERROR [STDERR] at org.apache.jsp.index_jsp._jspService(org.apache.jsp.index_jsp:48)
11:26:00,027 ERROR [STDERR] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
11:26:00,027 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
11:26:00,027 ERROR [STDERR] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
11:26:00,027 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
11:26:00,027 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
11:26:00,027 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
11:26:00,027 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
11:26:00,027 ERROR [STDERR] at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:54)
11:26:00,043 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:174)
11:26:00,043 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:514)
11:26:00,043 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
11:26:00,043 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
11:26:00,043 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
11:26:00,043 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
11:26:00,043 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
11:26:00,043 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
11:26:00,043 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProto
col.java:663)
11:26:00,043 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
11:26:00,043 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
11:26:00,043 ERROR [STDERR] at java.lang.Thread.run(Thread.java:595)
11:26:26,350 ERROR [STDERR] java.lang.NullPointerException
11:26:26,350 ERROR [STDERR] at org.jboss.security.jndi.JndiLoginInitialContextFactory.getInitialContext(JndiLoginInitialContextFacto
ry.java:75)
11:26:26,350 ERROR [STDERR] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
11:26:26,350 ERROR [STDERR] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
11:26:26,350 ERROR [STDERR] at javax.naming.InitialContext.init(InitialContext.java:223)
11:26:26,350 ERROR [STDERR] at javax.naming.InitialContext.<init>(InitialContext.java:197)
11:26:26,350 ERROR [STDERR] at com.ghsinc.web.roleeditor.SessionBean01.getAuthorizationManager(Unknown Source)
11:26:26,350 ERROR [STDERR] at com.ghsinc.web.roleeditor.GeneralBackingBean.<init>(Unknown Source)
11:26:26,350 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
11:26:26,350 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
11:26:26,350 ERROR [STDERR] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
11:26:26,350 ERROR [STDERR] at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
11:26:26,350 ERROR [STDERR] at java.lang.Class.newInstance0(Class.java:350)
11:26:26,350 ERROR [STDERR] at java.lang.Class.newInstance(Class.java:303)
11:26:26,350 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:204)
11:26:26,350 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:48)
11:26:26,350 ERROR [STDERR] at com.sun.faces.config.ManagedBeanFactory.newInstance(ManagedBeanFactory.java:203)
11:26:26,350 ERROR [STDERR] at com.sun.faces.application.ApplicationAssociate.createAndMaybeStoreManagedBeans(ApplicationAssociate.j
ava:256)
11:26:26,350 ERROR [STDERR] at com.sun.faces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:78)
11:26:26,350 ERROR [STDERR] at com.sun.faces.el.impl.NamedValue.evaluate(NamedValue.java:125)
11:26:26,350 ERROR [STDERR] at com.sun.faces.el.impl.ComplexValue.setValue(ComplexValue.java:160)
11:26:26,350 ERROR [STDERR] at com.sun.faces.el.ValueBindingImpl.setValue(ValueBindingImpl.java:234)
11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.doPerComponentActions(RestoreViewPhase.java:196)
11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.doPerComponentActions(RestoreViewPhase.java:189)
11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.doPerComponentActions(RestoreViewPhase.java:189)
11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:175)
11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
11:26:26,350 ERROR [STDERR] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:54)
11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:174)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:514)
11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
11:26:26,350 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
11:26:26,350 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
11:26:26,350 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProto
col.java:663)
11:26:26,350 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
11:26:26,350 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
11:26:26,350 ERROR [STDERR] at java.lang.Thread.run(Thread.java:595)

Even with the ClientLoginModule changes, the SecurityAssociation still returns nulls and the JndiInitialContext still does not work for making the remote ejb3 call when I have Principal/Credential properties commented out.

3. Re: web-tier to intialcontext remote ejb3 call

starksm64 Feb 24, 2006 3:51 PM (in response to dhartford)

There is no principal in the InitialContextFactory environment properties under the Context.SECURITY_PRINCIPAL for this NPE to occur.
Actions
4. Re: web-tier to intialcontext remote ejb3 call

dhartford Feb 27, 2006 8:44 AM (in response to dhartford)
"scott.stark@jboss.org" wrote:
There is no principal in the InitialContextFactory environment properties under the Context.SECURITY_PRINCIPAL for this NPE to occur.

Well, yes, that's kind of my point for this thread. I want to use already logged-in credentials from the web-tier. As such, I don't want to manually pass credentials so I commented out the credentials:

Properties env = new Properties(); //env.setProperty(Context.SECURITY_PRINCIPAL, "username"); // env.setProperty(Context.SECURITY_CREDENTIALS, "password"); env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory"); InitialContext ctx = new InitialContext(env); MyClass mc = (MyClass)ctx.lookup("MyClassBean/remote");

If I tried to work around this be explicitly setting the environment properties using
SecurityAssociation.getPrincial/getCredential
both of those are null even though my webapp requires login and correctly behaves based on those logins. From the web/JSF standpoint, getExternalContext.getRemoteUser() works fine but the integration point (SecurityAssocation) does not. I'm using the ClientLoginModule, where I thought the intent was that by using the JndiLoginInitialContextFactory it would be passed-through.

I've seen discussions about using a Tomcat Valve for a fix, requiring a Callbackhandler for a fix, something about the JAAS only working on the current thread and not the session and related workarounds, etc. Any recommendations for a 'clean' fix that shouldn't break on me later?

jboss-4.0.4RC1 on both ejb3 and webapp servers.
Actions
5. Re: web-tier to intialcontext remote ejb3 call

starksm64 Feb 27, 2006 1:44 PM (in response to dhartford)

If this is the tomcat embedded in jboss there should be no need to use the ClientLoginModule to pickup the web container login as there already is a SecurityAssociationValve in the configuration for this. It its not working its a bug in the ejb3 layer. If your not using the RC5 release, do so or check the outstanding jira issues.

http://jira.jboss.com/jira/browse/EJBTHREE
Actions
6. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 6, 2006 1:44 PM (in response to dhartford)

When the SecurityAssocation on the webtier is NULL, this is an EJB problem?
Actions

7. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 6, 2006 4:16 PM (in response to dhartford)

JSF Session Bean:

 public void securityCheck(){
 try {

//This is null
System.out.println("Principal: " + SecurityAssociation.getPrincipal());
//This is null
System.out.println("Credential: " + SecurityAssociation.getCredential());
//This is correct for ALL use cases
System.out.println("Remote User: " + this.getContext().getExternalContext().getRemoteUser());

 Properties env = new Properties();
 env.setProperty("java.naming.provider.url","jnp://10.0.0.135:1099");
//when I use my username/password manually, this works fine
// even when called in the JSF/Session bean. When commented
// out for JAAS use, this doesnt work.
//env.setProperty(Context.SECURITY_PRINCIPAL, manualusername);
//env.setProperty(Context.SECURITY_CREDENTIALS, manualpassword);
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
 InitialContext ctx = new InitialContext(env);
 SecTest st = (SecTest )ctx.lookup("SecTestBean/remote");

//make a secure EJB3 call
//Again, works with correct manual username/password.
//Behaves properly with incorrect manual username/password.
//fails completely when trying to use JAAS as SecurityAssociation is null

 System.out.println(aM.hello());
 } catch(Exception e) {
 e.printStackTrace();
 }
 }

And, just for verification:

jboss-web.xml:

<jboss-web>
 <security-domain>java:/jaas/testRealm</security-domain>
</jboss-web>

web.xml

....
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Required Only</web-resource-name>
 <description>Required Only</description>
 <url-pattern>/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>Define who can access this url-pattern</description>
 <role-name>*</role-name>
 </auth-constraint>

 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Please log in</realm-name>
 </login-config>

<!-- this is a known and proven role in the JAAS modules for our test user -->
 <security-role>
 <role-name>developers</role-name>
 </security-role>

8. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 6, 2006 4:17 PM (in response to dhartford)

correction to above post (trying to de-sensitize):
System.out.println(aM.hello());
should be

System.out.println(st.hello());
Actions
9. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 6, 2006 4:20 PM (in response to dhartford)

and, yes, I'm using 4.0.4RC1 binary drop which, according to the notes, uses EJB3 RC5.
Actions
10. Re: web-tier to intialcontext remote ejb3 call

starksm64 Mar 12, 2006 1:14 PM (in response to dhartford)

The JndiLoginInitialContextFactory cannot be used if you want transparent propagation of the web container caller.
Actions
11. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 15, 2006 8:23 AM (in response to dhartford)

Forgive my ignorance, but what is the recommended approach for transparent propagation of Security credentials from the web tier to a remote ejb3 call?
Actions
12. Re: web-tier to intialcontext remote ejb3 call

starksm64 Mar 15, 2006 10:33 PM (in response to dhartford)

To use the embedded tomcat configuration which include sthe SecurityAssocitionValve to do this. There is a mention of a lack of credentials in one post. If there is not security context (a web page that is not secured), there will be nothing to propagate.
Actions

13. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 16, 2006 8:17 AM (in response to dhartford)

"scott.stark@jboss.org" wrote:
To use the embedded tomcat configuration which include sthe SecurityAssocitionValve to do this. There is a mention of a lack of credentials in one post. If there is not security context (a web page that is not secured), there will be nothing to propagate.

Did I find a bug then? I am using 4.0.4RC1 binary with the embedded tomcat and I am still having issues. You mentioned NOT using the JndiInitialContext, is this still true?

As for web page secured:

"dhartford" wrote:
web.xml

....
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Required Only</web-resource-name>
 <description>Required Only</description>
 <url-pattern>/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>Define who can access this url-pattern</description>
 <role-name>*</role-name>
 </auth-constraint>

 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Please log in</realm-name>
 </login-config>

<!-- this is a known and proven role in the JAAS modules for our test user -->
 <security-role>
 <role-name>developers</role-name>
 </security-role>

14. Re: web-tier to intialcontext remote ejb3 call

dhartford Mar 16, 2006 8:23 AM (in response to dhartford)

To more clearly restate the problem:
* A EJB application server runs EJB beans with secured, RMI access. This is tested and works fine with client-side code. This client-side code works correctly remotely from the web application server.

* A web application server runs a web application that is also secured. Logins work correctly, denying when not logging in correctly. The credential/principal is visible from externalcontext.getRemoteUser(). A initial context lookup of a remote EJB bean with manually specified principal/credentials works fine.

I can not get the web application server, running jboss 4.0.4rc1 w/ embedded tomcat, to propagate the security principal/credentials from the web login (that are visible from externalcontext.getRemoteUser()) to a InitialContext lookup of a remote, secured EJB bean.
Actions

1 2 Previous Next

Go to original post