Some new output was generated after enabling debugging. But the only thing I can see, that the error is not in the login module but somewhere in the servlet container.

Is there something special that I have to pay attention when I'm using Struts2 as framework?

...
16:01:50,566 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ld
ap.InitialLdapContext@6857da
16:01:50,581 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.u
serid, r."role" FROM "security".application_user u, "security".application_role
r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.r
ole_id = r."role", gid: 79A44E672EA8C49B
16:01:50,769 ERROR [[default]] Servlet.service() for servlet default threw excep
tion
javax.ejb.EJBAccessException: Caller unauthorized
...

My web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

 <display-name>CANCardViewer</display-name>
 <context-param>
 <!-- the JAAS Login Domain -->
 <param-name>jaasLoginDomain</param-name>
 <param-value>cancardDomain</param-value>
 </context-param>
 <context-param>
 <!-- the JAAS Client Login Domain -->
 <param-name>jaasClientLoginDomain</param-name>
 <param-value>client-login</param-value>
 </context-param>
 <context-param>
 <param-name>jmesaPreferencesLocation</param-name>
 <param-value>
 /resources/jmesa.properties
 </param-value>
 </context-param>
 <context-param>
 <param-name>jmesaMessagesLocation</param-name>
 <param-value>applicationResources</param-value>
 </context-param>

 <filter>
 <filter-name>struts2</filter-name>
 <filter-class>
 org.apache.struts2.dispatcher.FilterDispatcher
 </filter-class>
 </filter>

<!--
 This is not necessary if a ServiceLocator fetches the data from EJB layer
 <filter>
 <filter-name>SpringOpenEntityManagerInViewFilter</filter-name>
 <filter-class>
 org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter
 </filter-class>
 </filter>

 <filter-mapping>
 <filter-name>SpringOpenEntityManagerInViewFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
-->

 <filter-mapping>
 <filter-name>struts2</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

 <servlet>
 <servlet-name>worksheet</servlet-name>
 <servlet-class>org.jmesa.worksheet.servlet.WorksheetServlet</servlet-class>
 </servlet>

 <servlet-mapping>
 <servlet-name>worksheet</servlet-name>
 <url-pattern>*.wrk</url-pattern>
 </servlet-mapping>


 <listener>
 <listener-class>
 org.springframework.web.context.ContextLoaderListener
 </listener-class>
 </listener>

 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>

</web-app>

/**
 *
 */
package vwg.audi.cancard.ui.interceptor;

import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;

import vwg.yyy.cancard.business.LoginFacade;
import vwg.yyy.cancard.ui.JAASConstants;

import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;

/**
 * JAASLoginFilter
 *
 * @author Michael Obster
 */
public class JAASLoginInterceptor implements Interceptor {

 private static final long serialVersionUID = -1983088770872827621L;

 private Logger log = Logger.getLogger(this.getClass());

 String loginDomain = "";
 String clientLoginDomain = "";

 LoginFacade loginFacade;

 @Override
 public void init() {

 }

 @Override
 public String intercept(ActionInvocation actionInvocation) throws Exception {
 loginDomain = ServletActionContext.getServletContext().getInitParameter("jaasLoginDomain");
 clientLoginDomain = ServletActionContext.getServletContext().getInitParameter("jaasClientLoginDomain");
 if (log.isDebugEnabled()) {
 log.debug("init JAASInterceptor: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
 }

 HttpServletRequest request = ServletActionContext.getRequest();
 String servletPath = request.getServletPath();
 String pathInfo = request.getPathInfo();
 String path = (servletPath == null ? "" : servletPath)
 + (pathInfo == null ? "" : pathInfo);
 if (log.isDebugEnabled()) {
 log.debug("Login INTERCEPT");
 }
 loginFacade = new LoginFacade(loginDomain, clientLoginDomain);


 if (!JAASConstants.USER_IS_VALID.equals(request
 .getSession().getAttribute(
 JAASConstants.USER_VALIDITY))) {
 log.info("requested path: " + path);
 return Action.LOGIN;
 }

 //Perform client-login
 String username = (String)request.getSession().getAttribute(JAASConstants.USERNAME);
 String strPassword = (String)request.getSession().getAttribute(JAASConstants.PASSWORD);

 // Classic login by username and password
 loginFacade.clientLogin(username, strPassword);
 if (log.isDebugEnabled()) {
 log.debug("*****CLIENTLOGIN COMPLETE****");
 }

 return actionInvocation.invoke();
 }

 @Override
 public void destroy() {
 loginFacade.logout();
 }



}

Perhaps you're right I will test that in the next hours. To be complete, this is my LoginFacade:

/**
 *
 */
package vwg.audi.cancard.business;

import javax.naming.AuthenticationException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import org.apache.log4j.Logger;
import org.jboss.security.auth.callback.UsernamePasswordHandler;

import vwg.audi.cancard.JAASLoginException;
import vwg.audi.cancard.ui.JAASConstants;

/**
 * LoginFacade
 *
 * @author Michael Obster (michael.obster@epos-cat.de)
 */
public class LoginFacade {
 private Logger log = Logger.getLogger(this.getClass());

 private LoginContext lc = null;
 private String loginContext = "";
 private String clientContext = "";

 public LoginFacade(String loginContext, String clientContext) {
 this.loginContext = loginContext;
 this.clientContext = clientContext;
 }

 /**
 * Real login, used by GUI.
 *
 * @param username
 * @param strPassword
 * @throws Exception
 */
 public void login(String username, String strPassword) throws Exception{
 char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
 UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);

 lc = null;
 try {
 //Login for usercheck
 lc = new LoginContext(loginContext, handler);
 lc.login();

 } catch (Exception e) {
 Throwable t = e;
 while (t.getCause() != null) {

 if (t instanceof AuthenticationException) {
 break;
 }
 t = t.getCause();
 }

 //Analyse AuthenticationException
 if (t instanceof AuthenticationException) {
 AuthenticationException ex = (AuthenticationException)t;
 String emsg = ex.getExplanation();
 if (!hasValue(emsg)) {
 emsg = "";
 }
 String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
 if (emsg.indexOf("password expired") > 0) {
 errorhint = JAASConstants.PASSWORD_EXPIRED;
 } else if (emsg.indexOf("error code 49") > 0) {
 errorhint = JAASConstants.PASSWORD_INVALID;
 } else if (emsg.indexOf("error code 19") > 0) {
 errorhint = JAASConstants.USER_REVOKED;
 } else if (emsg.indexOf("error code 32") > 0) {
 errorhint = JAASConstants.USER_INVALID;
 }
 log.debug(username + " " + ex.getExplanation() + " hint: " + errorhint);
 throw new JAASLoginException(errorhint, ex);

 } else if (t instanceof LoginException) {
 LoginException ex = (LoginException)t;
 String emsg = ex.getMessage();
 if (!hasValue(emsg)) {
 emsg = "";
 }
 String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
 if (emsg.indexOf("Password Required") > 0) {
 errorhint = JAASConstants.PASSWORD_INVALID;
 }
 log.debug(username + " " + emsg + " " + errorhint);
 throw new JAASLoginException(errorhint, ex);
 } else {
 log.debug(username + " " + t.getMessage() + " " + JAASConstants.UNEXPECTED_ERROR);
 throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR, t);
 }
 }
 }

 /**
 * Background Login, set user and password from filter.
 */
 public void clientLogin(String username, String strPassword) throws JAASLoginException {
 char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
 UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
 try {
 lc = new LoginContext(clientContext, handler);
 lc.login();
 } catch (LoginException e) {

 throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
 }
 }

 public void logout() throws JAASLoginException {
 if (lc == null)
 return;

 try {
 lc.logout();
 } catch (LoginException e) {
 log.error("JAAS-Logout failed!", e);
 throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
 }
 }

 /**
 * Helper function tests if Strings have a value.
 *
 * @param s - the String to test.
 * @return true or false
 */
 boolean hasValue(String s) {
 return s != null && s.trim().length() != 0 ? true : false;
 }
}

After some trying I get another error, so I tried to find out where the method isUserInRole is implemented, because I want to know what happens there. So where can I have a deeper look into that?

The error is

...
13:33:02,033 INFO [Login] User extern.michael.obster: login successfull!
13:33:02,049 DEBUG [CoyoteAdapter] Requested cookie session id is 935A59F3B0ED6
44F944D50636D518275
13:33:02,080 DEBUG [JAASLoginInterceptor] Login INTERCEPT
13:33:02,096 DEBUG [JAASLoginInterceptor] User Principal=extern.michael.obster
13:33:02,096 DEBUG [RealmBase] Username extern.michael.obster does NOT have role
 RegularUser
13:33:02,096 DEBUG [JAASLoginInterceptor] isUserInRole(Authorized User)=false
13:33:02,096 DEBUG [RealmBase] Username extern.michael.obster does NOT have role
 RegularUser
13:33:02,096 ERROR [[default]] Servlet.service() for servlet default threw excep
tion
javax.servlet.ServletException: User is not authenticated or the isUserInRole ch
eck failed
 at vwg.audi.cancard.ui.interceptor.JAASLoginInterceptor.intercept(JAASLo
ginInterceptor.java:77)
 at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
ActionInvocation.java:224)
...

Using the Webauthentication does only have to be used from the interceptor instead of my own LoginFacade as I have seen. First of all is this correct?

So I hope I've moved to WebAuthetication in the correct way. I have seen a example how to implement a struts 1 filter. I have used the code to implement my struts 2 interceptor.

And this is the current error:

15:05:30,318 DEBUG [RealmBase] Username extern.michael.obster does NOT have role AdminUser

/**
 *
 */
package vwg.audi.cancard.ui.interceptor;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;
import org.apache.struts2.ServletActionContext;
import org.jboss.web.tomcat.security.login.WebAuthentication;

import vwg.audi.cancard.business.LoginFacade;
import vwg.audi.cancard.ui.JAASConstants;

import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;

/**
 * JAASLoginFilter
 *
 * @author Michael Obster
 */
public class JAASLoginInterceptor implements Interceptor {

 private static final long serialVersionUID = -1983088770872827621L;

 private Logger log = Logger.getLogger(this.getClass());

 String loginDomain = "";
 String clientLoginDomain = "";

 LoginFacade loginFacade;

 @Override
 public void init() {

 }

 @Override
 public String intercept(ActionInvocation actionInvocation) throws Exception {
 HttpServletRequest request = ServletActionContext.getRequest();

 String servletPath = request.getServletPath();
 String pathInfo = request.getPathInfo();
 String path = (servletPath == null ? "" : servletPath)
 + (pathInfo == null ? "" : pathInfo);
 if (log.isDebugEnabled()) {
 log.debug("Login INTERCEPT");
 }

 if (!JAASConstants.USER_IS_VALID.equals(request
 .getSession().getAttribute(
 JAASConstants.USER_VALIDITY))) {
 log.info("requested path: " + path);
 return Action.LOGIN;
 }

 //Get the user name and password based on some attributes from your FORM post
 String username = (String) request.getSession().getAttribute(JAASConstants.USERNAME); //username can be any attribute
 String pass = (String) request.getSession().getAttribute(JAASConstants.PASSWORD); //pass can be any attribute

 if(username == null || pass == null) {
 throw new RuntimeException("username or password is null");
 }
 WebAuthentication pwl = new WebAuthentication();
 pwl.login(username, pass);

 if (log.isDebugEnabled()) {
 //Only when there is web login, does the principal be visible
 log.debug("User Principal="+request.getUserPrincipal());
 //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
 log.debug("isUserInRole(Authorized User)="+request.isUserInRole("AdminUser"));
 }

 if(request.getUserPrincipal() == null || !request.isUserInRole("AdminUser")) {
 throw new ServletException("User is not authenticated or the isUserInRole check failed");
 }

 //Log the user out
 pwl.logout();

 if(request.getUserPrincipal() != null || request.isUserInRole("AdminUser")) {
 throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)");
 }

 return actionInvocation.invoke();
 }

 @Override
 public void destroy() {
// loginFacade.logout();
 }

}

Ok. Thank you. I will try that with the servlet.

Form based authentication would be also a way to solve that use case but needs more work, because my current code is migrated from an old application.

One of the speciality that I have, is that my roles are not defined in the LDAP itself but in a database which is queried with the username after the user has authenticated against the LDAP (in my case a global catalog of a Active-Directory structure) to get the role.
A second point is that I have to parse the LDAP connection string before connecting, because I need to get the global catalog servers from a SRV query on the DNS system.

I hope these two things are also possible with the form based authetication, but I think I cannot use a existing JBoss LoginModule for that and have to use my own.

I will have a deeper look into the article, perhaps I get an idea how I can solve my issue.

Kind regards,
Michael

Ok, I have some new errors using a servlet, but this is also not working.

After I had a deeper look into the Web based authentication, I've seen that this is not usable for my usecase, because the service must be also usable over a Public-Key-Infrastructure. The Web based authentication does not support that.

What I've seen the JAASLoginModule is called ervery time I access an EJB. The strange thing is that the login works, but on accessing an EJB I get an Invalid user error and a message "Bad password for username=null" from JAAS, so it looks that the JAAS module forgets my username and password I logged in before successfully. I suppose, this is the problem of the previous error.
The question now is how I can solve that issue.

This is the complete error until the call of the EJB method:

16:12:42,099 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou=External,ou=People,ou=Access
16:12:42,099 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS, rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=extern.michael.obster, ou=External,ou=People,ou=Access, jboss.security.security_domain=cancardDomain, java.naming.provider.url=ldap://ldaphost, java.naming.security.authentication=simple, java.naming.security.credentials=***, principal.dn.groups=ou=Corporate,ou=People,ou=Access:ou=External,ou=People,ou=Access}
16:12:42,130 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@9e50cd
16:12:42,130 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", gid: 12A44E672EA8C49B
16:12:42,146 INFO [LoginServlet] User extern.michael.obster: login successfull!

16:12:42,146 DEBUG [LoginServlet] init JAASInterceptor: loginDomain:cancardDomain clientLoginDomain:client-login
16:12:42,193 INFO [SpiiderLoginModule] LdapLoginModule, dsJndiName=cancardviewerDS
16:12:42,193 INFO [SpiiderLoginModule] rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role"
16:12:42,193 INFO [SpiiderLoginModule] defaultRole=RegularUser
16:12:42,193 DEBUG [SpiiderLoginModule] Bad password for username=null
16:12:42,193 ERROR [[LoginServlet]] Servlet.service() for servlet LoginServlet threw exception
javax.ejb.EJBAccessException: Invalid User
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3Au
thenticationInterceptorv2.java:165)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterce
ptor.java:41)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContaine
rShutdownInterceptor.java:67)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invo
ke(CurrentInvocationInterceptor.java:67)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessCo
ntainer.java:421)
 at org.jboss.ejb3.remoting.IsLocalInterceptor.invokeLocal(IsLocalInterce
ptor.java:85)
 at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.
java:72)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
 at $Proxy488.invoke(Unknown Source)
 at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
erBase.invoke(SessionProxyInvocationHandlerBase.java:207)
 at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
erBase.invoke(SessionProxyInvocationHandlerBase.java:164)
 at $Proxy561.updateUser(Unknown Source)

package vwg.audi.cancard.webservlet;

import java.io.IOException;

import javax.ejb.EJBAccessException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.jboss.web.tomcat.security.login.WebAuthentication;

import com.arjuna.ats.arjuna.recovery.Service;

public class LoginServlet extends HttpServlet
{
 private Logger log = Logger.getLogger(LoginServlet.class);

 /**
 *
 */
 private static final long serialVersionUID = -5539909157863711284L;

 /**
 * Process the HTTP Get request
 */
 public void doGet(HttpServletRequest request, HttpServletResponse response)
 throws ServletException, IOException
 {
 serveRequest(request, response);
 }

 /**
 * Process the HTTP Post request
 */
 public void doPost(HttpServletRequest request, HttpServletResponse response)
 throws ServletException, IOException
 {
 serveRequest(request, response);
 } // doPost

 /**
 * In dieser Methode findet die eigentliche Verarbeitung des
 * HTTPServletRequests statt. Sie wird von den beiden public Methoden doPost
 * und doGet aufgerufen.
 */
 public void serveRequest(HttpServletRequest request,
 HttpServletResponse response) throws ServletException, IOException
 {
 String username = "extern.michael.obster";
 String pass = "mypassword";
 // login first
 try {
 login(username, pass);
 }
 catch (Exception e) {
 log.error("Fehler:", e);
 }

 String loginDomain = "cancardDomain";
 String clientLoginDomain = "client-login";
 if (log.isDebugEnabled()) {
 log.debug("init JAASInterceptor: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
 }

 // lets try to access ejb3
 try {
 ServiceLocator.getInstance().getUserService().updateUser();
 }
 catch (ServiceLocatorException e) {
 log.error("ServiceLocator error:", e);
 }
 }

 /**
 * Helper method for logging in
 * @param username
 * @param strPassword
 * @return
 * @throws Exception
 */
 private String login(String username, String strPassword) throws Exception {
 String loginDomain = "cancardDomain";
 String clientLoginDomain = "client-login";

 log.debug("LoginAction: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
 try {
 LoginFacade loginFacade = new LoginFacade(loginDomain, clientLoginDomain);
 loginFacade.login(username, strPassword);
 } catch (JAASLoginException jaasEx) {
 log.info("User " + username + ": login NOT successfull! " + jaasEx.getErrorKey(), jaasEx);
 return jaasEx.getErrorKey();
 } catch (EJBAccessException ejbEx) {
 //No permission for application
 log.warn(ejbEx);
 Exception ex = ejbEx.getCausedByException();
 log.info("User " + username + ": login NOT successfull! " + ejbEx.getMessage(), ejbEx);

 if (ex instanceof SecurityException) {
 return JAASConstants.NO_RIGHTS;
 } else {
 return JAASConstants.USER_NOT_AUTHENTICATED;
 }
 }
 catch (Exception ex) {
 log.info("User " + username + ": login NOT successfull! " + ex.getMessage(), ex);
 throw ex;
// return JAASConstants.NO_RIGHTS;
 }
 log.info("User " + username + ": login successfull!");
 return JAASConstants.USER_IS_VALID;
 }

}

Hi,

What I have to if I want to use the WebAuthentication further? Do I have to change the complete login to Web based authentication? I've seen I need then j_security_check, but I always get then that this resource is not available from tomcat.

For now I tried to use the WebAuthetication but the user is not authenticated then. I only get this error:

vwg.audi.cancard.MyApplicationException: User is not authenticated or the isUserInRole check failed at vwg.audi.cancard.ui.action.Login.execute(Login.java:177) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:441) at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:280) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:243) at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:165) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:252) at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:179) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at
...

if(username == null || password == null)
 throw new RuntimeException("username or password is null");
 WebAuthentication pwl = new WebAuthentication();
 pwl.login(username, password);

 //Only when there is web login, does the principal be visible
 log.info("User Principal="+ServletActionContext.getRequest().getUserPrincipal());
 //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
 log.info("isUserInRole(Authorized User)="+ServletActionContext.getRequest().isUserInRole("AuthorizedUser"));
 if(ServletActionContext.getRequest().getUserPrincipal() == null || !ServletActionContext.getRequest().isUserInRole("AuthorizedUser"))
 throw new MyApplicationException("User is not authenticated or the isUserInRole check failed");

 //Log the user out
 pwl.logout();

 if(ServletActionContext.getRequest().getUserPrincipal() != null || ServletActionContext.getRequest().isUserInRole("AuthorizedUser"))
 throw new MyApplicationException("User is still authenticated or pass: isUserInRole(Authorized User)");

10:21:16,515 INFO [Login] User Principal=null
10:21:16,531 INFO [Login] isUserInRole(Authorized User)=false

Ok, back to the LoginFacade. I did some more testing and tried to use the code in a JDK5 and JBoss 4.2.3 environment. There I get also an access exception on the EJB3 bean. After putting some log.info statements into my JAAS login module I git following output:

11:34:59,091 INFO [SpiiderLoginModule] Groups for User: 1
11:34:59,106 INFO [SpiiderLoginModule] Principal: AdminUser
11:34:59,106 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions,
 principal=extern.michael.obster, requiredRoles=[RegularUser, AdminUser, interna
l], principalRoles=null

...
protected Group[] getRoleSets() throws LoginException {
 if (userIdentifier == null)
 return getDefaultRoles();

 // add the useridentifier to the subject
 subject.getPublicCredentials().add(userIdentifier);
 String gid = userIdentifier.getGid();
 if (trace)
 log.info("getRoleSets using rolesQuery: " + rolesQuery
 + ", gid: " + gid);
 try {
 Group roleSets[] = Util.getRoleSets(gid, dsJndiName,
 rolesQuery, this, suspendResume);

 log.info("Groups for User: " + roleSets.length);
 for (Group role : roleSets) {
 log.info("Principal: " + role.getName());
 }

 if (roleSets.length == 0)
 return getDefaultRoles();

 return roleSets;
 } catch (FailedLoginException fe) {
 // this exception is thrown if the user is not found in the roles-link-table
 return getDefaultRoles();
 }
 }
...

/**
 *
 */
package vwg.audi.cancard.business;

import javax.naming.AuthenticationException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import org.apache.log4j.Logger;
import org.jboss.security.auth.callback.UsernamePasswordHandler;

import vwg.audi.cancard.JAASLoginException;
import vwg.audi.cancard.ui.JAASConstants;

/**
 * LoginFacade
 *
 * @author Michael Obster (nospam.michael.obster@epos-cat.de)
 */
public class LoginFacade {
 private Logger log = Logger.getLogger(this.getClass());

 private LoginContext lc = null;
 private String loginContext = "";
 private String clientContext = "";

 public LoginFacade(String loginContext, String clientContext) {
 this.loginContext = loginContext;
 this.clientContext = clientContext;
 }

 /**
 * Real login, used by GUI.
 *
 * @param username
 * @param strPassword
 * @throws Exception
 */
 public void login(String username, String strPassword) throws Exception{
 char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
 UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);

 lc = null;
 try {
 //Login for usercheck
 lc = new LoginContext(loginContext, handler);
 lc.login();

 } catch (Exception e) {
 Throwable t = e;
 while (t.getCause() != null) {

 if (t instanceof AuthenticationException) {
 break;
 }
 t = t.getCause();
 }

 //Analyse AuthenticationException
 if (t instanceof AuthenticationException) {
 AuthenticationException ex = (AuthenticationException)t;
 String emsg = ex.getExplanation();
 if (!hasValue(emsg)) {
 emsg = "";
 }
 String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
 if (emsg.indexOf("password expired") > 0) {
 errorhint = JAASConstants.PASSWORD_EXPIRED;
 } else if (emsg.indexOf("error code 49") > 0) {
 errorhint = JAASConstants.PASSWORD_INVALID;
 } else if (emsg.indexOf("error code 19") > 0) {
 errorhint = JAASConstants.USER_REVOKED;
 } else if (emsg.indexOf("error code 32") > 0) {
 errorhint = JAASConstants.USER_INVALID;
 }
 log.debug(username + " " + ex.getExplanation() + " hint: " + errorhint);
 throw new JAASLoginException(errorhint, ex);

 } else if (t instanceof LoginException) {
 LoginException ex = (LoginException)t;
 String emsg = ex.getMessage();
 if (!hasValue(emsg)) {
 emsg = "";
 }
 String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
 if (emsg.indexOf("Password Required") > 0) {
 errorhint = JAASConstants.PASSWORD_INVALID;
 }
 log.debug(username + " " + emsg + " " + errorhint);
 throw new JAASLoginException(errorhint, ex);
 } else {
 log.debug(username + " " + t.getMessage() + " " + JAASConstants.UNEXPECTED_ERROR);
 throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR, t);
 }
 }
 }

 /**
 * Background Login, set user and password from filter.
 */
 public void clientLogin(String username, String strPassword) throws JAASLoginException {
 char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
 UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
 try {
 lc = new LoginContext(clientContext, handler);
 lc.login();
 } catch (LoginException e) {

 throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
 }
 }

 public void logout() throws JAASLoginException {
 if (lc == null)
 return;

 try {
 lc.logout();
 } catch (LoginException e) {
 log.error("JAAS-Logout failed!", e);
 throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
 }
 }

 /**
 * Helper function tests if Strings have a value.
 *
 * @param s - the String to test.
 * @return true or false
 */
 boolean hasValue(String s) {
 return s != null && s.trim().length() != 0 ? true : false;
 }
}

/**
 *
 */
package vwg.audi.cancard.cfg;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;

import vwg.audi.cancard.JAASLoginException;
import vwg.audi.cancard.business.LoginFacade;
import vwg.audi.cancard.ui.JAASConstants;

/**
 * JAASLoginFilter
 *
 */
public class JAASLoginFilter implements Filter {
 private Logger log = Logger.getLogger(this.getClass());

 FilterConfig filterConfig;

 ArrayList<String> ignorePath;

 String loginDomain = "";
 String clientLoginDomain = "";

 @SuppressWarnings("unchecked")
 public void init(FilterConfig filterConfig) throws ServletException {


 this.filterConfig = filterConfig;
 ignorePath = new ArrayList<String>();
 Enumeration enumeration = filterConfig.getInitParameterNames();
 while (enumeration.hasMoreElements()) {
 String initParameterName = (String) enumeration.nextElement();
 ignorePath.add(filterConfig.getInitParameter(initParameterName));
 }

 loginDomain = filterConfig.getServletContext().getInitParameter("jaasLoginDomain");
 clientLoginDomain = filterConfig.getServletContext().getInitParameter("jaasClientLoginDomain");
 log.debug("init JAASFilter: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
 }

 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

 if (req instanceof HttpServletRequest) {
 HttpServletRequest request = (HttpServletRequest) req;
 String servletPath = request.getServletPath();
 String pathInfo = request.getPathInfo();
 String path = (servletPath == null ? "" : servletPath)
 + (pathInfo == null ? "" : pathInfo);
 log.debug(path);
 log.debug("IM FILTER");
 LoginFacade loginFacade = new LoginFacade(loginDomain, clientLoginDomain);


 if (!ignorePath.contains(path)
 && !JAASConstants.USER_IS_VALID.equals(request
 .getSession().getAttribute(
 JAASConstants.USER_VALIDITY))) {
 log.info("requested path: " + path + " ignored: " + ignorePath.contains(path));
 throw new JAASLoginException();
 }

 //Perform client-login
 if (!ignorePath.contains(path)) {
 String username = (String)request.getSession().getAttribute(JAASConstants.USERNAME);
 String strPassword = (String)request.getSession().getAttribute(JAASConstants.PASSWORD);

 // Classic login by username and password
 loginFacade.clientLogin(username, strPassword);

 }

 chain.doFilter(req, res);

 loginFacade.logout();
 } else
 throw new JAASLoginException("Unsupported request");

 }

 public void destroy() {

 }

}