-
1. Re: Basic app client to app server authentication in J2EE
wolfgangknauf Mar 30, 2009 10:20 AM (in response to bugoff)Hi,
as far as I know, "LoginInitialContextFactory" is no longer working in JBoss 5.
Take a look at this thread (post 2) to see how to perform a JAAS login:
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=144865
Another tip: you use an @EJB annotation in your code, and later perform a JNDI lookup. Here http://www.jboss.org/community/docs/DOC-12835 is a tutorial on how to use injection in appliaction clients.
Best regards
Wolfgang -
2. Re: Basic app client to app server authentication in J2EE
bugoff Mar 30, 2009 10:25 AM (in response to bugoff)Should LoginContext be on the same side as InitialContext (ie client), or not? If first, then why does the client need to know what LoginModule the server is using?
-
3. Re: Basic app client to app server authentication in J2EE
wolfgangknauf Mar 31, 2009 5:02 AM (in response to bugoff)Hi,
I'm no JAAS specialist, so I cannot give you in-depth answers, but I will try...
"LoginContext" is on the client side. Don't mix this with the server side of the configuration. The "LoginContext" of "auth.conf" declares the module used on the client side to perform the JAAS login. It has nothing in common with the login modules used on the server side. So the client does not need to know how the server performs login
Hope this helps
Wolfgang -
4. Re: Basic app client to app server authentication in J2EE
bugoff Mar 31, 2009 5:44 AM (in response to bugoff)Thanks, that's pretty much what I was looking for!
So, how do I pass username/password to server if not through LoginContext?
Thank you -
5. Re: Basic app client to app server authentication in J2EE
wolfgangknauf Mar 31, 2009 6:36 AM (in response to bugoff)Hi,
might be a misunderstanding: you still need the LoginContext on the client side. User/password are provided through the CallbackHandler interface:AppCallbackHandler callbackHandler = new AppCallbackHandler(user, password.toCharArray() ); LoginContext loginContext = new LoginContext ("logincontextname", callbackHandler); loginContext.login();
The "AppCallbackHandler" is a JBoss specific class, which contains user and password. There might be other implementations, which read user/password e.g. from user input.
The "logincontextname" must be declared in "auth.conf" and point to the client login module.
Best regards
Wolfgang -
6. Re: Basic app client to app server authentication in J2EE
bugoff Mar 31, 2009 6:43 AM (in response to bugoff)hold on, why do I need "auth.conf" and LoginContext on a client?
You said:So the client does not need to know how the server performs login
Thank you. -
7. Re: Basic app client to app server authentication in J2EE
wolfgangknauf Mar 31, 2009 8:07 AM (in response to bugoff)Hi,
there are two steps required to configure security:
a) on the server (through "login-config.xml" and security domains).
b) on the client (as the client security layer has to know how to perform login against the server).
The client basically sends user and password to the server, and the server grants access or denies it. The client knows whether he has to send user/password or a certificate (this is configured by code and through "auth.conf"). But the client does NOT know how the user/password login is handled on the server side.
Unfortunately, the term "LoginContext" appears on both sides, but these are different things.
You might take a look at the EJB3 tutorial for a very simple sample (chapter 27): http://www.jboss.org/file-access/default/members/jbossejb3/freezone/docs/tutorial/1.0.4/html/Security_and_Transactions_in_EJB3.html
Best regards
Wolfgang -
8. Re: Basic app client to app server authentication in J2EE
bugoff Apr 1, 2009 10:36 AM (in response to bugoff)Thank you very much, it all helped a lot.