5 Replies Latest reply on Jul 3, 2006 11:36 AM by j2ee_junkie

Login module which accesses an EJB?

klusi Jun 30, 2006 3:42 AM

I have a database with user and roles tables and a set of Session EJB's to access this data. Now I am thinking about writing a JAAS login module that calls an authenticate(user,passwd) on the UserServiceEJB. Is this a good design or should I prefer using the database login module, which directly asks the database for authentication?

1. Re: Login module which accesses an EJB?

j2ee_junkie Jun 30, 2006 10:37 AM (in response to klusi)

Klusi,

I have a login module which does this as well. Is it good design? I am not sure. One very imporant point to note (as you will see if you search this forum) is that you can't secure the EJB that has authenticate(user,passwd) method using the same application-policy (i.e. security-domain). There would an circular login problem. Also, consider how you plan to authenticate the login module as a user of the EJB.

enjoy, cgriffith
Actions
2. Re: Login module which accesses an EJB?

anil.saldhana Jun 30, 2006 12:58 PM (in response to klusi)

It is better to use the Database LM because it does the job for you while managing the subject population with roles.
Actions

3. Re: Login module which accesses an EJB?

nigelwhite Jul 3, 2006 5:10 AM (in response to klusi)

Further to this, I'm having a problem which is very strange.

I'm not sure into which of the seperate jar/war files to put my security classes.

I'm using JAAS, and I have a sar file which contains meta-inf/jboss-service.xml:

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD MBean Service 4.0//EN"
 "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
<server>
 <!-- The custom JAAS login configuration that installs
 a Configuration capable of dynamically updating the
 config settings
 -->
 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="jboss.security.tests:service=LoginConfig">
 <attribute name="PolicyConfig" serialDataType="jbxb">
 <jaas:policy
 xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
 xmlns:jaas="urn:jboss:security-config:4.1"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

 <!-- Our Greenfields login config -->
 <jaas:application-policy name="Greenfields">
 <jaas:authentication>
 <jaas:login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required">
 <jaas:module-option name="unauthenticatedIdentity">Anonymous</jaas:module-option>
 <jaas:module-option name="principalClass">com.fcl.security.GreenfieldsUser</jaas:module-option>
 <jaas:module-option name="ignorePasswordCase">true</jaas:module-option>
 </jaas:login-module>
 </jaas:authentication>
 </jaas:application-policy>
 </jaas:policy>
 </attribute>
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>
</server>

I put my com.fcl.security.GreenfieldsLoginModule,com.fcl.security.LoginUtils (utility functions used by the login process) and com.fcl.security.GreenfieldsUser (The Principal class) into the WAR file (because it's the web app that does the JAAS authentication), but then I get

[c]dejava.lang.LinkageError: loader constraints violated when linking com/fcl/security/GreenfieldsUser class when invoking my EJBs.

I put com.fcl.security.GreenfieldsUser into my EJB jar file too.

basically, my EAR is build like this... here's my application.xml:

<?xml version="1.0" encoding="UTF-8"?>
<application
 xmlns="http://java.sun.com/xml/ns/j2ee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.4"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/application_1_4.xsd">
 <display-name>GreenFields</display-name>
 <module>
 <java id="greenfield.jar">greenfield.jar</java>
 </module>
 <module>
 <ejb id="persistence.jar">persistence.jar</ejb>
 </module>
 <module>
 <ejb id="ejbs.jar">ejbs.jar</ejb>
 </module>
 <module>
 <java id="GreenfieldsLogin.sar">GreenfieldsLogin.sar</java>
 </module>
 <module>
 <web>
 <web-uri>webapp.war</web-uri>
 <context-root>gfFw</context-root>
 </web>
 </module>
</application>

4. Re: Login module which accesses an EJB?

nigelwhite Jul 3, 2006 6:37 AM (in response to klusi)

Now, I just put com.fcl.security.GreenfieldsLoginModule into my WAR file.

All other classes from the com.fcl.security package are in greenfield.jar, just another java module listed in application.xml.

But in my LoginModule, I now get this:

10:09:25,718 ERROR [fcl] tried to access method com.fcl.security.LoginUtils.login(Ljava/lang/String;[BLjava/lang/Long;)Lcom/fcl/secu
rity/GreenfieldsUser; from class com.fcl.security.GreenfieldsLoginModule
java.lang.IllegalAccessError: tried to access method com.fcl.security.LoginUtils.login(Ljava/lang/String;[BLjava/lang/Long;)Lcom/fcl
/security/GreenfieldsUser; from class com.fcl.security.GreenfieldsLoginModule
 at com.fcl.security.GreenfieldsLoginModule.login(GreenfieldsLoginModule.java:116)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
 at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306)
 at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:595)

I have a terrible problem here. I cannot get our app to work. I'm feeling the project is going to get cancelled and I'll be fired.

Why is it this DIFICULT? What do I have to do just to get login to work?

5. Re: Login module which accesses an EJB?

j2ee_junkie Jul 3, 2006 11:36 AM (in response to klusi)
First off, start a new thread as this is not related to the threads subject.

Second, do not put
<module> <java id="GreenfieldsLogin.sar">GreenfieldsLogin.sar</java> </module>

in application.xml. Java 2 E E spec. knows nothing of JBoss sars. You need to set that in jboss-app.xml.

Finally, do not complain to us that you are going to get fired if you do not get help. We are only here to help voluntarily, and you should not depend on us to get your job done.

Happy to help otherwise, cgriffith
Actions

Go to original post