Confused by Client login
amayingenta Mar 17, 2006 10:46 AMHi, I'm having problems with authentication for a remote EJB client.
As I understand it, my client should use the ClientLoginModule to collect username/password, and then the server should be configured to use a login module that will read the username/password passed from the client.
I believe that everything is working on the client end, as after login a Subject has been created with a Principal named for my username, and SecurityAssociation.getPrincipal() and SecurityAssocation.getCredential() have been set (which is what I expect from poking around in the ClientLoginModule code).
On the server end, my custom login module is being called. This passes a NameCallback to the provided CallbackHandler, but the name does not get set to the username I provided at the client end.
I guess my expectation is that the CallbackHandler provided by the container would have the principal and credential from the client passed by whatever mechanism JBoss uses.
Attaching a debugger, the CallbackHandler appears to be a SecurityAssociationHandler (wrapped by a SecureCallbackHandler), which should set the name of a NameCallback to the name of the Principal the SecurityAssociationHandler is initialised. However, both the Principal and the Credential are null, so nothing appears to have been propergated from the client.
This is part of the client code. Does it need to be doing something different?
CallbackHandler handler = new MyCallbackHandler(username, password); LoginContext loginContext = new LoginContext("other", handler); loginContext.login(); Subject subject = loginContext.getSubject(); // the subject has a principal where name=username as expected Hashtable<String, String> props = new Hashtable<String, String>(); props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory"); props.put(Context.PROVIDER_URL, "localhost:1099"); Context ctx = new InitialContext(props); IdentityController controller = (IdentityController)ctx.lookup("IdentityControllerBean/remote"); ...
This is using the other login configuration in client/auth.conf, which just contains the ClientLoginModule.
On the server end, I am using a custom login module that extends AbstractServerLoginModule. This is configured in login-config.xml
<application-policy name="identity"> <authentication> <login-module code="com.ingenta.ics.client.SessionLoginModule" flag="required"></login-module> </authentication> </application-policy>
I only made my login module extend the JBoss one because I wasn't sure if this was necessary to get the client details to propergate, but that made no difference.
This is with JBoss 4.0.4RC1, and it's calling an EJB3 bean. I can't see any issues in JIRA for EJB3 that would cause this.
Thanks in advance for your help, this is my first taste of JAAS, and it's giving me headaches.
-Andrew