9 Replies Latest reply on Mar 30, 2009 12:55 PM by zithuba

    SecurityAssociation and ClientLoginModule authentication not

    javidjamae

      I posted a message to the EJB3 forums about remote client EJB security not working on JBoss 5 CR2 when directly setting the principal/credentials on the SecurityAssociation or by using the ClientLoginModule.

      http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4182511

      I was able to login however by doing a JAAS login.

      Is this a bug, or is JAAS login the only way to authenticate a remote EJB client in JBoss 5?

        • 1. Re: SecurityAssociation and ClientLoginModule authentication

          Hi Javid

          I have the same Problem with the JndiLoginInitialContextFactory approach.
          The sample runs fine with JBoss 4.2.2.GA but with Version 5.0.0.CR2 i'm
          getting an <Invalid User> Message.

          You can find another non JAAS approach (with the usage of LoginContext) here: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=144865

          best regards
          Tom

          • 2. Re: SecurityAssociation and ClientLoginModule authentication
            anil.saldhana

             

            SecurityClient client = SecurityClientFactory.getSecurityClient();
            client.setSimple("anil", "mypass");
            
            or
            
            client.setJaas("other", mycallbackhandler);
            
            client.login();
            
            


            http://anonsvn.jboss.org/repos/jbossas/projects/security/security-spi/tags/2.0.2.GA/spi/src/main/org/jboss/security/client/

            The above is a tested/suggested approach.

            • 3. Re: SecurityAssociation and ClientLoginModule authentication
              jaikiran

               

              SecurityClient client = SecurityClientFactory.getSecurityClient();
              client.setSimple("anil", "mypass");
              


              This works with JBoss-5.0 GA. However, is there a way where i can clear of the user credentials and relogin with a new password. The usecase i am trying is :

              // Login with incorrect password
              SecurityClient client = SecurityClientFactory.getSecurityClient();
              client.setSimple("anil", "incorrectpass");
              
              // access bean - which will throw exception because of invalid password
              bean.doAuthorizedOp();
              
              // Now logout the client since password was incorrect
              client.logout();
              
              // Now pass the correct password
              client.setSimple("anil", "correctpass");
              
              // try accessing the bean authorized method
              // should have passed but fails with "Invalid User" exception
              bean.doAuthorizedOp();
              


              Even after logging out the client with the incorrect password, and then login with the correct password, i get a Invalid User exception:

              [java] Exception in thread "main" javax.ejb.EJBAccessException: Invalid User
               [java] at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:137)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:65)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:486)
               [java] at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:56)
               [java] at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
               [java] at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
               [java] at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
               [java] at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:742)
               [java] at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:695)
               [java] at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:522)
               [java] at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:230)
               [java] at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:206)
               [java] at org.jboss.remoting.Client.invoke(Client.java:1708)
               [java] at org.jboss.remoting.Client.invoke(Client.java:612)
               [java] at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:76)
               [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
               [java] at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
               [java] at $Proxy3.invoke(Unknown Source)
              




              • 4. Re: SecurityAssociation and ClientLoginModule authentication
                jaikiran

                 

                "jaikiran" wrote:

                This works with JBoss-5.0 GA.


                Spoke too soon. A bit of debugging shows that using

                SecurityClient client = SecurityClientFactory.getSecurityClient();
                client.setSimple("anil", "mypass");
                


                from a standalone client to access a secure EJB on JBoss-5.0 GA server always fails with Invalid User. The principal being passed to the EJB is null. I will debug a bit more and see what the problem is.

                • 5. Re: SecurityAssociation and ClientLoginModule authentication
                  jaikiran

                   

                  "jaikiran" wrote:

                  A bit of debugging shows that using

                  SecurityClient client = SecurityClientFactory.getSecurityClient();
                  client.setSimple("anil", "mypass");
                  


                  from a standalone client to access a secure EJB on JBoss-5.0 GA server always fails with Invalid User. The principal being passed to the EJB is null. I will debug a bit more and see what the problem is.


                  Got it working. I was missing the obvious step of client.login( ) :-) This works:
                  SecurityClient client = SecurityClientFactory.getSecurityClient();
                  client.setSimple("anil", "mypass");
                  client.login();


                  This testcase helped me understand the usage http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/main/org/jboss/test/security/test/client/SecurityClientUnitTestCase.java

                  • 6. Re: SecurityAssociation and ClientLoginModule authentication
                    jaikiran

                     

                    "jaikiran" wrote:
                    However, is there a way where i can clear of the user credentials and relogin with a new password. The usecase i am trying is :

                    // Login with incorrect password
                    SecurityClient client = SecurityClientFactory.getSecurityClient();
                    client.setSimple("anil", "incorrectpass");
                    
                    // access bean - which will throw exception because of invalid password
                    bean.doAuthorizedOp();
                    
                    // Now logout the client since password was incorrect
                    client.logout();
                    
                    // Now pass the correct password
                    client.setSimple("anil", "correctpass");
                    
                    // try accessing the bean authorized method
                    // should have passed but fails with "Invalid User" exception
                    bean.doAuthorizedOp();
                    



                    This works too. client.logout( ) clears the credentials.

                    • 7. Re: SecurityAssociation and ClientLoginModule authentication
                      zithuba

                      Hi, I am having a problem with the same ejb security. I have read a lot of the articles and forums but I still have the problem. I use Anil`s setup for the Jaas security login modules and deploy it with my app. It gets deployed, and I used the JB AS5 way of propagating login credentials as you described above. The user get authenticated but authorization fails for my method with a rolesallowed entry. Do I have to do this (client.login()) everytime I am going to do a lookup on the context or call an ejb method?

                      • 8. Re: SecurityAssociation and ClientLoginModule authentication
                        wolfgangknauf

                        Hi,

                        "client.login" must be called only once.

                        Please start a new thread, and provide us with more details on your login module and security configuration and on your client code.

                        Did you check that your user is authenticated by the login module? Maybe the login fails and the login module falls back e.g. to the unauthenticatedIdentity (take a look at question 4 of the FAQ to see how to activate security layer logging).

                        Best regards

                        Wolfgang

                        • 9. Re: SecurityAssociation and ClientLoginModule authentication
                          zithuba