8 Replies Latest reply on Apr 1, 2009 10:36 AM by bugoff

Basic app client to app server authentication in J2EE

bugoff Mar 30, 2009 9:21 AM

I have DB with users. I also have a basic swing app with username/password fields. I want client to be able connect and authorize itself with those credentials.

Currently I have:

Client:

//global
@EJB(name="DemoServer/MyBean/remote") private MyBeanRemote ejb;

//login
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.LoginInitialContextFactory");
p.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
p.put(Context.PROVIDER_URL, "localhost");
p.put(Context.SECURITY_PRINCIPAL, tName.getText());
p.put(Context.SECURITY_CREDENTIALS, tPass.getText());
p.put(Context.SECURITY_PROTOCOL, "MyLogin");


InitialContext ctx;
ctx = new InitialContext(p);
ejb = (MyBeanRemote) ctx.lookup("DemoServer/MyBean/remote");

Server is local Jboss5 and EJB3. I have jaas.conf on server and I want to authenticate through it. Am I on the right path and what do I do? Thank you very much.

1. Re: Basic app client to app server authentication in J2EE

wolfgangknauf Mar 30, 2009 10:20 AM (in response to bugoff)

Hi,

as far as I know, "LoginInitialContextFactory" is no longer working in JBoss 5.

Take a look at this thread (post 2) to see how to perform a JAAS login:
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=144865

Another tip: you use an @EJB annotation in your code, and later perform a JNDI lookup. Here http://www.jboss.org/community/docs/DOC-12835 is a tutorial on how to use injection in appliaction clients.

Best regards

Wolfgang
Actions
2. Re: Basic app client to app server authentication in J2EE

bugoff Mar 30, 2009 10:25 AM (in response to bugoff)

Should LoginContext be on the same side as InitialContext (ie client), or not? If first, then why does the client need to know what LoginModule the server is using?
Actions
3. Re: Basic app client to app server authentication in J2EE

wolfgangknauf Mar 31, 2009 5:02 AM (in response to bugoff)

Hi,

I'm no JAAS specialist, so I cannot give you in-depth answers, but I will try...
"LoginContext" is on the client side. Don't mix this with the server side of the configuration. The "LoginContext" of "auth.conf" declares the module used on the client side to perform the JAAS login. It has nothing in common with the login modules used on the server side. So the client does not need to know how the server performs login

Hope this helps

Wolfgang
Actions
4. Re: Basic app client to app server authentication in J2EE

bugoff Mar 31, 2009 5:44 AM (in response to bugoff)

Thanks, that's pretty much what I was looking for!

So, how do I pass username/password to server if not through LoginContext?

Thank you
Actions
5. Re: Basic app client to app server authentication in J2EE

wolfgangknauf Mar 31, 2009 6:36 AM (in response to bugoff)
Hi,

might be a misunderstanding: you still need the LoginContext on the client side. User/password are provided through the CallbackHandler interface:

AppCallbackHandler callbackHandler = new AppCallbackHandler(user, password.toCharArray() ); LoginContext loginContext = new LoginContext ("logincontextname", callbackHandler); loginContext.login();

The "AppCallbackHandler" is a JBoss specific class, which contains user and password. There might be other implementations, which read user/password e.g. from user input.

The "logincontextname" must be declared in "auth.conf" and point to the client login module.

Best regards

Wolfgang
Actions
6. Re: Basic app client to app server authentication in J2EE

bugoff Mar 31, 2009 6:43 AM (in response to bugoff)

hold on, why do I need "auth.conf" and LoginContext on a client?

You said:
So the client does not need to know how the server performs login

Thank you.
Actions
7. Re: Basic app client to app server authentication in J2EE

wolfgangknauf Mar 31, 2009 8:07 AM (in response to bugoff)

Hi,

there are two steps required to configure security:

a) on the server (through "login-config.xml" and security domains).

b) on the client (as the client security layer has to know how to perform login against the server).

The client basically sends user and password to the server, and the server grants access or denies it. The client knows whether he has to send user/password or a certificate (this is configured by code and through "auth.conf"). But the client does NOT know how the user/password login is handled on the server side.

Unfortunately, the term "LoginContext" appears on both sides, but these are different things.

You might take a look at the EJB3 tutorial for a very simple sample (chapter 27): http://www.jboss.org/file-access/default/members/jbossejb3/freezone/docs/tutorial/1.0.4/html/Security_and_Transactions_in_EJB3.html

Best regards

Wolfgang
Actions
8. Re: Basic app client to app server authentication in J2EE

bugoff Apr 1, 2009 10:36 AM (in response to bugoff)

Thank you very much, it all helped a lot.
Actions

Go to original post