1 2 Previous Next 20 Replies Latest reply on Oct 21, 2009 5:20 AM by wolfgangknauf

    Caller unauthorized on using a ejb3 statetlesssessionbean fr

      Hi everybody,

      I have a big problem using JAAS in JBoss 5.1.0GA, which I try to solve about 2 days (my employer is not very amused of that...). I use a own JASSLoginModule to authenticate a user on a LDAP directory. The roleSet is fetched from a database. This part works as I can see and give me the result - "AdminUser".

      But now when I call a EJB stateless session bean, I always get the Caller unauthorized error (Stacktrace is at bottom of the message).

      Can anybody give me a hint whats wrong.

      The Constants in the @RolesAllowed has "AdminUser" in the list. The class is also attached at the end of the message

      javax.ejb.EJBAccessException: Caller unauthorized
       at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(Ro
      leBasedAuthorizationInterceptorv2.java:199)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
      java:102)
       at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3Au
      thenticationInterceptorv2.java:186)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
      java:102)
       at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterce
      ptor.java:41)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
      java:102)
       at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContaine
      rShutdownInterceptor.java:67)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
      java:102)
       at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invo
      ke(CurrentInvocationInterceptor.java:67)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
      java:102)
       at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContain
      er.java:176)
       at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContain
      er.java:216)
       at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
      erBase.invoke(SessionProxyInvocationHandlerBase.java:207)
       at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
      erBase.invoke(SessionProxyInvocationHandlerBase.java:164)
       at $Proxy1287.getAllUsers(Unknown Source)
       at vwg.yyy.cancard.ui.action.Usermanagement.Usermanagement.list(Userman
      agement.java:41)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
      java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
      sorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultA
      ctionInvocation.java:404)
       at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(Defa
      ultActionInvocation.java:267)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:229)
       at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doInte
      rcept(DefaultWorkflowInterceptor.java:221)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(V
      alidationInterceptor.java:150)
       at org.apache.struts2.interceptor.validation.AnnotationValidationInterce
      ptor.doIntercept(AnnotationValidationInterceptor.java:48)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.interc
      ept(ConversionErrorInterceptor.java:123)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept
      (ParametersInterceptor.java:167)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.inter
      cept(StaticParametersInterceptor.java:105)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(Checkbox
      Interceptor.java:83)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUp
      loadInterceptor.java:207)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(
      ModelDrivenInterceptor.java:74)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.inte
      rcept(ScopedModelDrivenInterceptor.java:127)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.ProfilingActivationInterceptor.interce
      pt(ProfilingActivationInterceptor.java:107)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.interce
      pt(DebuggingInterceptor.java:206)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(Cha
      iningInterceptor.java:115)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInt
      erceptor.java:143)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(Pr
      epareInterceptor.java:121)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(Ser
      vletConfigInterceptor.java:170)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasI
      nterceptor.java:123)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.inter
      cept(ExceptionMappingInterceptor.java:176)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at vwg.yyy.cancard.ui.interceptor.RolecheckUsermanagerInterceptor.conti
      nueAction(RolecheckUsermanagerInterceptor.java:86)
       at vwg.yyy.cancard.ui.interceptor.RolecheckUsermanagerInterceptor.inter
      cept(RolecheckUsermanagerInterceptor.java:71)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at vwg.yyy.cancard.ui.interceptor.JAASLoginInterceptor.intercept(JAASLo
      ginInterceptor.java:78)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doInte
      rcept(DefaultWorkflowInterceptor.java:221)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(V
      alidationInterceptor.java:150)
       at org.apache.struts2.interceptor.validation.AnnotationValidationInterce
      ptor.doIntercept(AnnotationValidationInterceptor.java:48)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.interc
      ept(ConversionErrorInterceptor.java:123)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept
      (ParametersInterceptor.java:167)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.inter
      cept(StaticParametersInterceptor.java:105)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(Checkbox
      Interceptor.java:83)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUp
      loadInterceptor.java:207)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(
      ModelDrivenInterceptor.java:74)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(Cha
      iningInterceptor.java:115)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInt
      erceptor.java:143)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(Pr
      epareInterceptor.java:121)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(Ser
      vletConfigInterceptor.java:170)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept
      (ParametersInterceptor.java:167)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasI
      nterceptor.java:123)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.inter
      cept(ExceptionMappingInterceptor.java:176)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at vwg.yyy.cancard.ui.interceptor.RedirectMessageInterceptor.doIntercep
      t(RedirectMessageInterceptor.java:51)
       at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept
      (MethodFilterInterceptor.java:86)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:224)
       at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
      ActionInvocation.java:223)
       at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTim
      erStack.java:455)
       at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
      nvocation.java:221)
       at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.j
      ava:50)
       at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.jav
      a:504)
       at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatc
      her.java:419)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
       at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFi
      lter.java:96)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
      alve.java:235)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
      alve.java:191)
       at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Securit
      yAssociationValve.java:190)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv
      e.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.proce
      ss(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invok
      e(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
      ava:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
      ava:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC
      onnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
      ve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
      a:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
      :829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
      ss(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44
      7)
       at java.lang.Thread.run(Thread.java:619)


      UserFacadeBean.java:
      /**
       *
       */
      package vwg.yyy.cancard.business.facade;
      
      import java.util.ArrayList;
      import java.util.List;
      import java.util.Set;
      
      import javax.annotation.PostConstruct;
      import javax.annotation.Resource;
      import javax.annotation.security.RolesAllowed;
      import javax.annotation.security.RunAs;
      import javax.ejb.EJB;
      import javax.ejb.Local;
      import javax.ejb.Remote;
      import javax.ejb.SessionContext;
      import javax.ejb.Stateless;
      import javax.persistence.EntityExistsException;
      import javax.persistence.EntityNotFoundException;
      import javax.security.auth.Subject;
      import javax.security.jacc.PolicyContext;
      import javax.security.jacc.PolicyContextException;
      
      import org.apache.log4j.Logger;
      import org.hibernate.exception.ConstraintViolationException;
      import org.jboss.ejb3.annotation.SecurityDomain;
      import org.jboss.security.auth.spi.ADLoginIdentifier;
      
      import vwg.yyy.cancard.ApplicationConstants;
      import vwg.yyy.cancard.MyApplicationException;
      import vwg.yyy.cancard.business.user.TooManyHitsException;
      import vwg.yyy.cancard.dao.ApplicationRoleDao;
      import vwg.yyy.cancard.dao.ApplicationUserDao;
      import vwg.yyy.cancard.dao.DAOFactory;
      import vwg.yyy.cancard.ldap.LDAPSearcher;
      import vwg.yyy.cancard.model.basic.ApplicationRole;
      import vwg.yyy.cancard.model.basic.ApplicationUser;
      
      
      /**
       * Implementation of user service interface.
       *
       * @author Michael Obster (michael.obster@epos-cat.de)
       */
      @SecurityDomain("java:/jaas/cancardDomain")
      @RolesAllowed({ApplicationConstants.ROLE_ADMIN, ApplicationConstants.ROLE_NORMAL, "internal"})
      @RunAs("internal")
      @Local({UserFacade.class})
      @Remote({UserFacadeRemote.class})
      @Stateless
      public class UserFacadeBean implements UserFacade {
       private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
      
       private static Logger log = Logger.getLogger(UserFacadeBean.class);
      
       /**
       * Session context for security checks.
       */
       @Resource
       private SessionContext ctx;
      
       @EJB
       private DAOFactory daoFactory;
      
       private ApplicationUserDao userDao;
       private ApplicationRoleDao roleDao;
      
       /**
       * Inits the daos.
       */
       @PostConstruct
       public void initDao() {
       userDao = daoFactory.getApplicationUserDao();
       roleDao = daoFactory.getApplicationRoleDao();
       }
      
       public List<ApplicationUser> getAllUsers() {
       return userDao.findAllOrdered("lastname, firstname");
       }
      
       public ApplicationUser saveUser(ApplicationUser user, boolean updateZebra) {
       if (updateZebra) {
       // Update current user from zebra
       LDAPSearcher searcher = new LDAPSearcher();
       searcher.updateUserAD(user);
       }
       return userDao.merge(user);
       }
      
       public boolean deleteUser(String gid) {
       try {
       userDao.remove(gid);
       } catch (EntityNotFoundException e) {
       log.debug(e);
       throw new MyApplicationException("db.alreadydeleted");
       } catch (EntityExistsException e) {
       log.debug(e.getCause());
       if (e.getCause() instanceof ConstraintViolationException) {
       // User still used elsewhere
       throw new MyApplicationException("db.stillused");
       }
       else {
       // Should never happen
       throw (EntityExistsException) e.fillInStackTrace();
       }
       }
       return true;
       }
      
       public ApplicationUser findUserById(String userId) throws EntityNotFoundException {
       return userDao.findById(userId);
       }
      
       public ApplicationUser findFullUserById(String userId) throws EntityNotFoundException {
       ApplicationUser user = userDao.findById(userId);
       return userDao.fetchFullUser(user);
       }
      
       public List<ApplicationRole> getAllRoles() {
       return roleDao.findAllOrdered("reihe");
       }
      
       public List<ApplicationUser> findDirectoryUsers(ApplicationUser user)
       throws TooManyHitsException {
       LDAPSearcher searcher = new LDAPSearcher();
       return searcher.findByCriteriaAD(user);
       }
      
       public ApplicationUser findDirectoryUser(String userId) {
       LDAPSearcher searcher = new LDAPSearcher();
       ApplicationUser user = new ApplicationUser();
       user.setId(userId);
       searcher.updateUserAD(user);
       return user;
       }
      
       @Override
       public List<ApplicationUser> findByCriteria(String firstname,
       String lastname, String department, String phone,
       String email, String id) {
       LDAPSearcher searcher = new LDAPSearcher();
       return searcher.findByCriteria(firstname, lastname,
       department, phone, email, id);
       }
      
       @Override
       public List<ApplicationRole> getRolesNotUser(ApplicationUser user) {
       user = userDao.fetchFullUser(user);
       return roleDao.findNonRolesOfUser(user);
       }
      
       @Override
       public List<ApplicationRole> getUserRoles(ApplicationUser user) {
       user = userDao.fetchFullUser(user);
       return new ArrayList<ApplicationRole>(user.getRole());
       }
      
       @Override
       public boolean addRole(ApplicationRole role, ApplicationUser user) {
       user = userDao.fetchFullUser(user);
       return userDao.linkRoleToUser(role, user);
       }
      
       @Override
       public boolean deleteRole(ApplicationRole role, ApplicationUser user) {
       user = userDao.fetchFullUser(user);
       return userDao.unlinkRoleToUser(role, user);
       }
      
       @Override
       public ApplicationRole findRoleById(String roleId)
       throws EntityNotFoundException {
       return roleDao.findById(roleId);
       }
      
       public void updateUser() throws MyApplicationException {
       // Get user from DB
       LDAPSearcher searcher = new LDAPSearcher();
       ApplicationUser dbUser=null;
       try {
       dbUser = userDao.findById(getUserId(ctx));
       }
       catch(EntityNotFoundException e) {
       throw new MyApplicationException("User not found in database.", e);
       }
      
       // Get current user data from zebra
      // searcher.updateUserAD(dbUser);
      
       // Save user
      // userDao.merge(dbUser);
       }
      
       /**
       * Static helper method: Get userId from EJB context.
       *
       * @param ctx SessionContext for no-ad-case
       * @return userId
       */
       public static String getUserId(SessionContext ctx) {
       try {
       Subject subject = (Subject) PolicyContext.getContext(UserFacadeBean.SUBJECT_CONTEXT_KEY);
       Set<ADLoginIdentifier> pc = subject.getPublicCredentials(ADLoginIdentifier.class);
       if (pc == null || pc.isEmpty()) {
       /*
       * Should only happen in JUnit case, return user name as GID
       * NOT dangerous because:
       * - Spiider is the only login method on production server
       * - The following update from Zebra will fail and throw an Exception
       */
       log.warn("Logging in without ADLoginIdentifier, should only happen in JUnit test!");
       return ctx.getCallerPrincipal().getName();
       }
       else {
       return pc.iterator().next().getUserId();
       }
       } catch (PolicyContextException e) {
       throw new MyApplicationException("Jaas subject could not be retrieved.", e);
       }
       }
      
       @Override
       public boolean userHasRole(ApplicationRole role, ApplicationUser user) {
       user = userDao.fetchFullUser(user);
       Set<ApplicationRole> roles = user.getRole();
       if (roles.contains(role)) {
       return true;
       }
       else {
       return false;
       }
       }
      
       @Override
       public ApplicationRole getRolesById(String roleid) {
       ApplicationRole role = roleDao.findById(roleid);
       return role;
       }
      
      }
      


        • 1. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
          wolfgangknauf

          Hi Michael,

          you probably checked the JBoss log of the security layer (see question 4 in FAQ)? Do you see output that JBoss could map a user to the required roles?

          Please post the relevant snippets of your login module.

          Best regards

          Wolfgang

          • 2. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

            Some new output was generated after enabling debugging. But the only thing I can see, that the error is not in the login module but somewhere in the servlet container.

            Is there something special that I have to pay attention when I'm using Struts2 as framework?

            ...
            16:01:50,566 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ld
            ap.InitialLdapContext@6857da
            16:01:50,581 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.u
            serid, r."role" FROM "security".application_user u, "security".application_role
            r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.r
            ole_id = r."role", gid: 79A44E672EA8C49B
            16:01:50,769 ERROR [[default]] Servlet.service() for servlet default threw excep
            tion
            javax.ejb.EJBAccessException: Caller unauthorized
            ...
            


            • 3. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

              My web.xml:

              <?xml version="1.0" encoding="UTF-8"?>
              <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
              
               <display-name>CANCardViewer</display-name>
               <context-param>
               <!-- the JAAS Login Domain -->
               <param-name>jaasLoginDomain</param-name>
               <param-value>cancardDomain</param-value>
               </context-param>
               <context-param>
               <!-- the JAAS Client Login Domain -->
               <param-name>jaasClientLoginDomain</param-name>
               <param-value>client-login</param-value>
               </context-param>
               <context-param>
               <param-name>jmesaPreferencesLocation</param-name>
               <param-value>
               /resources/jmesa.properties
               </param-value>
               </context-param>
               <context-param>
               <param-name>jmesaMessagesLocation</param-name>
               <param-value>applicationResources</param-value>
               </context-param>
              
               <filter>
               <filter-name>struts2</filter-name>
               <filter-class>
               org.apache.struts2.dispatcher.FilterDispatcher
               </filter-class>
               </filter>
              
              <!--
               This is not necessary if a ServiceLocator fetches the data from EJB layer
               <filter>
               <filter-name>SpringOpenEntityManagerInViewFilter</filter-name>
               <filter-class>
               org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter
               </filter-class>
               </filter>
              
               <filter-mapping>
               <filter-name>SpringOpenEntityManagerInViewFilter</filter-name>
               <url-pattern>/*</url-pattern>
               </filter-mapping>
              -->
              
               <filter-mapping>
               <filter-name>struts2</filter-name>
               <url-pattern>/*</url-pattern>
               </filter-mapping>
              
               <servlet>
               <servlet-name>worksheet</servlet-name>
               <servlet-class>org.jmesa.worksheet.servlet.WorksheetServlet</servlet-class>
               </servlet>
              
               <servlet-mapping>
               <servlet-name>worksheet</servlet-name>
               <url-pattern>*.wrk</url-pattern>
               </servlet-mapping>
              
              
               <listener>
               <listener-class>
               org.springframework.web.context.ContextLoaderListener
               </listener-class>
               </listener>
              
               <welcome-file-list>
               <welcome-file>index.jsp</welcome-file>
               </welcome-file-list>
              
              </web-app>
              


              And the struts2 interceptor I use on sites you have to be logged in:
              JaasLoginInterceptor:
              /**
               *
               */
              package vwg.audi.cancard.ui.interceptor;
              
              import javax.servlet.http.HttpServletRequest;
              
              import org.apache.log4j.Logger;
              import org.apache.struts2.ServletActionContext;
              
              import vwg.yyy.cancard.business.LoginFacade;
              import vwg.yyy.cancard.ui.JAASConstants;
              
              import com.opensymphony.xwork2.Action;
              import com.opensymphony.xwork2.ActionInvocation;
              import com.opensymphony.xwork2.interceptor.Interceptor;
              
              /**
               * JAASLoginFilter
               *
               * @author Michael Obster
               */
              public class JAASLoginInterceptor implements Interceptor {
              
               private static final long serialVersionUID = -1983088770872827621L;
              
               private Logger log = Logger.getLogger(this.getClass());
              
               String loginDomain = "";
               String clientLoginDomain = "";
              
               LoginFacade loginFacade;
              
               @Override
               public void init() {
              
               }
              
               @Override
               public String intercept(ActionInvocation actionInvocation) throws Exception {
               loginDomain = ServletActionContext.getServletContext().getInitParameter("jaasLoginDomain");
               clientLoginDomain = ServletActionContext.getServletContext().getInitParameter("jaasClientLoginDomain");
               if (log.isDebugEnabled()) {
               log.debug("init JAASInterceptor: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
               }
              
               HttpServletRequest request = ServletActionContext.getRequest();
               String servletPath = request.getServletPath();
               String pathInfo = request.getPathInfo();
               String path = (servletPath == null ? "" : servletPath)
               + (pathInfo == null ? "" : pathInfo);
               if (log.isDebugEnabled()) {
               log.debug("Login INTERCEPT");
               }
               loginFacade = new LoginFacade(loginDomain, clientLoginDomain);
              
              
               if (!JAASConstants.USER_IS_VALID.equals(request
               .getSession().getAttribute(
               JAASConstants.USER_VALIDITY))) {
               log.info("requested path: " + path);
               return Action.LOGIN;
               }
              
               //Perform client-login
               String username = (String)request.getSession().getAttribute(JAASConstants.USERNAME);
               String strPassword = (String)request.getSession().getAttribute(JAASConstants.PASSWORD);
              
               // Classic login by username and password
               loginFacade.clientLogin(username, strPassword);
               if (log.isDebugEnabled()) {
               log.debug("*****CLIENTLOGIN COMPLETE****");
               }
              
               return actionInvocation.invoke();
               }
              
               @Override
               public void destroy() {
               loginFacade.logout();
               }
              
              
              
              }
              


              • 4. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
                wolfgangknauf

                Hi,

                I think I get it now. Your JAASLoginInterceptor should perform a login using the class "org.jboss.web.tomcat.security.login.WebAuthentication": http://www.jboss.org/community/wiki/WebAuthentication
                This way, your authentication will be propagated to the security layer.

                I don't know your class "LoginFacade", but I assume that you don't use "WebAuthentication" there?

                Hope this helps

                Wolfgang

                • 5. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                  Perhaps you're right I will test that in the next hours. To be complete, this is my LoginFacade:

                  /**
                   *
                   */
                  package vwg.audi.cancard.business;
                  
                  import javax.naming.AuthenticationException;
                  import javax.security.auth.login.LoginContext;
                  import javax.security.auth.login.LoginException;
                  
                  import org.apache.log4j.Logger;
                  import org.jboss.security.auth.callback.UsernamePasswordHandler;
                  
                  import vwg.audi.cancard.JAASLoginException;
                  import vwg.audi.cancard.ui.JAASConstants;
                  
                  /**
                   * LoginFacade
                   *
                   * @author Michael Obster (michael.obster@epos-cat.de)
                   */
                  public class LoginFacade {
                   private Logger log = Logger.getLogger(this.getClass());
                  
                   private LoginContext lc = null;
                   private String loginContext = "";
                   private String clientContext = "";
                  
                   public LoginFacade(String loginContext, String clientContext) {
                   this.loginContext = loginContext;
                   this.clientContext = clientContext;
                   }
                  
                   /**
                   * Real login, used by GUI.
                   *
                   * @param username
                   * @param strPassword
                   * @throws Exception
                   */
                   public void login(String username, String strPassword) throws Exception{
                   char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
                   UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
                  
                   lc = null;
                   try {
                   //Login for usercheck
                   lc = new LoginContext(loginContext, handler);
                   lc.login();
                  
                   } catch (Exception e) {
                   Throwable t = e;
                   while (t.getCause() != null) {
                  
                   if (t instanceof AuthenticationException) {
                   break;
                   }
                   t = t.getCause();
                   }
                  
                   //Analyse AuthenticationException
                   if (t instanceof AuthenticationException) {
                   AuthenticationException ex = (AuthenticationException)t;
                   String emsg = ex.getExplanation();
                   if (!hasValue(emsg)) {
                   emsg = "";
                   }
                   String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
                   if (emsg.indexOf("password expired") > 0) {
                   errorhint = JAASConstants.PASSWORD_EXPIRED;
                   } else if (emsg.indexOf("error code 49") > 0) {
                   errorhint = JAASConstants.PASSWORD_INVALID;
                   } else if (emsg.indexOf("error code 19") > 0) {
                   errorhint = JAASConstants.USER_REVOKED;
                   } else if (emsg.indexOf("error code 32") > 0) {
                   errorhint = JAASConstants.USER_INVALID;
                   }
                   log.debug(username + " " + ex.getExplanation() + " hint: " + errorhint);
                   throw new JAASLoginException(errorhint, ex);
                  
                   } else if (t instanceof LoginException) {
                   LoginException ex = (LoginException)t;
                   String emsg = ex.getMessage();
                   if (!hasValue(emsg)) {
                   emsg = "";
                   }
                   String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
                   if (emsg.indexOf("Password Required") > 0) {
                   errorhint = JAASConstants.PASSWORD_INVALID;
                   }
                   log.debug(username + " " + emsg + " " + errorhint);
                   throw new JAASLoginException(errorhint, ex);
                   } else {
                   log.debug(username + " " + t.getMessage() + " " + JAASConstants.UNEXPECTED_ERROR);
                   throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR, t);
                   }
                   }
                   }
                  
                   /**
                   * Background Login, set user and password from filter.
                   */
                   public void clientLogin(String username, String strPassword) throws JAASLoginException {
                   char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
                   UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
                   try {
                   lc = new LoginContext(clientContext, handler);
                   lc.login();
                   } catch (LoginException e) {
                  
                   throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
                   }
                   }
                  
                   public void logout() throws JAASLoginException {
                   if (lc == null)
                   return;
                  
                   try {
                   lc.logout();
                   } catch (LoginException e) {
                   log.error("JAAS-Logout failed!", e);
                   throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
                   }
                   }
                  
                   /**
                   * Helper function tests if Strings have a value.
                   *
                   * @param s - the String to test.
                   * @return true or false
                   */
                   boolean hasValue(String s) {
                   return s != null && s.trim().length() != 0 ? true : false;
                   }
                  }
                  
                  


                  • 6. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                    After some trying I get another error, so I tried to find out where the method isUserInRole is implemented, because I want to know what happens there. So where can I have a deeper look into that?

                    The error is

                    ...
                    13:33:02,033 INFO [Login] User extern.michael.obster: login successfull!
                    13:33:02,049 DEBUG [CoyoteAdapter] Requested cookie session id is 935A59F3B0ED6
                    44F944D50636D518275
                    13:33:02,080 DEBUG [JAASLoginInterceptor] Login INTERCEPT
                    13:33:02,096 DEBUG [JAASLoginInterceptor] User Principal=extern.michael.obster
                    13:33:02,096 DEBUG [RealmBase] Username extern.michael.obster does NOT have role
                     RegularUser
                    13:33:02,096 DEBUG [JAASLoginInterceptor] isUserInRole(Authorized User)=false
                    13:33:02,096 DEBUG [RealmBase] Username extern.michael.obster does NOT have role
                     RegularUser
                    13:33:02,096 ERROR [[default]] Servlet.service() for servlet default threw excep
                    tion
                    javax.servlet.ServletException: User is not authenticated or the isUserInRole ch
                    eck failed
                     at vwg.audi.cancard.ui.interceptor.JAASLoginInterceptor.intercept(JAASLo
                    ginInterceptor.java:77)
                     at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(Default
                    ActionInvocation.java:224)
                    ...
                    


                    • 7. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
                      wolfgangknauf

                      Hi,

                      did you move your code to "WebAuthentication"? If yes: please post an update. I am not sure whether the WebAuthentication class will work with a Struts2 interceptor, but I hope so.

                      "HttpServletRequest.isUserInRole" should be part of the Tomcat implementation of the servlet spec. So, if you need the sources, take a look at the Tomcat source code.

                      Best regards

                      Wolfgang

                      • 8. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                        Using the Webauthentication does only have to be used from the interceptor instead of my own LoginFacade as I have seen. First of all is this correct?

                        So I hope I've moved to WebAuthetication in the correct way. I have seen a example how to implement a struts 1 filter. I have used the code to implement my struts 2 interceptor.

                        And this is the current error:

                        15:05:30,318 DEBUG [RealmBase] Username extern.michael.obster does NOT have role AdminUser
                        

                        The login principal in the LoginModule gives me a mapping "extern.michael.obster" to "AdminUser", so this is in some way a discrepance, which I suppose that s.th. of the security context is lost (therefor I wanted to have "deeper" debugging, but I don't see a way how to do it because I cannot get a better acces into the JBossWebRealm.java).

                        This is my new JaasLoginInterceptor:
                        /**
                         *
                         */
                        package vwg.audi.cancard.ui.interceptor;
                        
                        import javax.servlet.ServletException;
                        import javax.servlet.http.HttpServletRequest;
                        
                        import org.apache.log4j.Logger;
                        import org.apache.struts2.ServletActionContext;
                        import org.jboss.web.tomcat.security.login.WebAuthentication;
                        
                        import vwg.audi.cancard.business.LoginFacade;
                        import vwg.audi.cancard.ui.JAASConstants;
                        
                        import com.opensymphony.xwork2.Action;
                        import com.opensymphony.xwork2.ActionInvocation;
                        import com.opensymphony.xwork2.interceptor.Interceptor;
                        
                        /**
                         * JAASLoginFilter
                         *
                         * @author Michael Obster
                         */
                        public class JAASLoginInterceptor implements Interceptor {
                        
                         private static final long serialVersionUID = -1983088770872827621L;
                        
                         private Logger log = Logger.getLogger(this.getClass());
                        
                         String loginDomain = "";
                         String clientLoginDomain = "";
                        
                         LoginFacade loginFacade;
                        
                         @Override
                         public void init() {
                        
                         }
                        
                         @Override
                         public String intercept(ActionInvocation actionInvocation) throws Exception {
                         HttpServletRequest request = ServletActionContext.getRequest();
                        
                         String servletPath = request.getServletPath();
                         String pathInfo = request.getPathInfo();
                         String path = (servletPath == null ? "" : servletPath)
                         + (pathInfo == null ? "" : pathInfo);
                         if (log.isDebugEnabled()) {
                         log.debug("Login INTERCEPT");
                         }
                        
                         if (!JAASConstants.USER_IS_VALID.equals(request
                         .getSession().getAttribute(
                         JAASConstants.USER_VALIDITY))) {
                         log.info("requested path: " + path);
                         return Action.LOGIN;
                         }
                        
                         //Get the user name and password based on some attributes from your FORM post
                         String username = (String) request.getSession().getAttribute(JAASConstants.USERNAME); //username can be any attribute
                         String pass = (String) request.getSession().getAttribute(JAASConstants.PASSWORD); //pass can be any attribute
                        
                         if(username == null || pass == null) {
                         throw new RuntimeException("username or password is null");
                         }
                         WebAuthentication pwl = new WebAuthentication();
                         pwl.login(username, pass);
                        
                         if (log.isDebugEnabled()) {
                         //Only when there is web login, does the principal be visible
                         log.debug("User Principal="+request.getUserPrincipal());
                         //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
                         log.debug("isUserInRole(Authorized User)="+request.isUserInRole("AdminUser"));
                         }
                        
                         if(request.getUserPrincipal() == null || !request.isUserInRole("AdminUser")) {
                         throw new ServletException("User is not authenticated or the isUserInRole check failed");
                         }
                        
                         //Log the user out
                         pwl.logout();
                        
                         if(request.getUserPrincipal() != null || request.isUserInRole("AdminUser")) {
                         throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)");
                         }
                        
                         return actionInvocation.invoke();
                         }
                        
                         @Override
                         public void destroy() {
                        // loginFacade.logout();
                         }
                        
                        }
                        


                        • 9. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
                          wolfgangknauf

                          Hi,

                          your code seems correct. As we both don't know whether it will work with an Interceptor, I would advice you to make some test: call a servlet and try to perform your login action inside this. If this works, the problems might be a result of some Interceptor problem. If it works not with the servlet, the error lies probably in your security config.

                          I see that you use username and password to perform the LDAP login. Why not using e.g. form based authentication according to the servlet spec (by declaring a range of secured pages in "web.xml")? JBoss provides a login module against LDAP.

                          You might read e.g. this (shows all the steps required to secure a web app): http://www.developer.com/security/article.php/3077421/Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm
                          or this (details about the JBoss LDAP login module): http://www.jboss.org/community/wiki/LdapLoginModule

                          Hope this helps

                          Wolfgang

                          • 10. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                            Ok. Thank you. I will try that with the servlet.

                            Form based authentication would be also a way to solve that use case but needs more work, because my current code is migrated from an old application.

                            One of the speciality that I have, is that my roles are not defined in the LDAP itself but in a database which is queried with the username after the user has authenticated against the LDAP (in my case a global catalog of a Active-Directory structure) to get the role.
                            A second point is that I have to parse the LDAP connection string before connecting, because I need to get the global catalog servers from a SRV query on the DNS system.

                            I hope these two things are also possible with the form based authetication, but I think I cannot use a existing JBoss LoginModule for that and have to use my own.

                            I will have a deeper look into the article, perhaps I get an idea how I can solve my issue.

                            Kind regards,
                            Michael

                            • 11. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                              Ok, I have some new errors using a servlet, but this is also not working.

                              After I had a deeper look into the Web based authentication, I've seen that this is not usable for my usecase, because the service must be also usable over a Public-Key-Infrastructure. The Web based authentication does not support that.

                              What I've seen the JAASLoginModule is called ervery time I access an EJB. The strange thing is that the login works, but on accessing an EJB I get an Invalid user error and a message "Bad password for username=null" from JAAS, so it looks that the JAAS module forgets my username and password I logged in before successfully. I suppose, this is the problem of the previous error.
                              The question now is how I can solve that issue.

                              This is the complete error until the call of the EJB method:

                              16:12:42,099 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou=External,ou=People,ou=Access
                              16:12:42,099 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS, rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=extern.michael.obster, ou=External,ou=People,ou=Access, jboss.security.security_domain=cancardDomain, java.naming.provider.url=ldap://ldaphost, java.naming.security.authentication=simple, java.naming.security.credentials=***, principal.dn.groups=ou=Corporate,ou=People,ou=Access:ou=External,ou=People,ou=Access}
                              16:12:42,130 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@9e50cd
                              16:12:42,130 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", gid: 12A44E672EA8C49B
                              16:12:42,146 INFO [LoginServlet] User extern.michael.obster: login successfull!
                              
                              16:12:42,146 DEBUG [LoginServlet] init JAASInterceptor: loginDomain:cancardDomain clientLoginDomain:client-login
                              16:12:42,193 INFO [SpiiderLoginModule] LdapLoginModule, dsJndiName=cancardviewerDS
                              16:12:42,193 INFO [SpiiderLoginModule] rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role"
                              16:12:42,193 INFO [SpiiderLoginModule] defaultRole=RegularUser
                              16:12:42,193 DEBUG [SpiiderLoginModule] Bad password for username=null
                              16:12:42,193 ERROR [[LoginServlet]] Servlet.service() for servlet LoginServlet threw exception
                              javax.ejb.EJBAccessException: Invalid User
                               at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3Au
                              thenticationInterceptorv2.java:165)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
                              java:102)
                               at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterce
                              ptor.java:41)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
                              java:102)
                               at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContaine
                              rShutdownInterceptor.java:67)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
                              java:102)
                               at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invo
                              ke(CurrentInvocationInterceptor.java:67)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
                              java:102)
                               at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessCo
                              ntainer.java:421)
                               at org.jboss.ejb3.remoting.IsLocalInterceptor.invokeLocal(IsLocalInterce
                              ptor.java:85)
                               at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.
                              java:72)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
                              java:102)
                               at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
                               at $Proxy488.invoke(Unknown Source)
                               at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
                              erBase.invoke(SessionProxyInvocationHandlerBase.java:207)
                               at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
                              erBase.invoke(SessionProxyInvocationHandlerBase.java:164)
                               at $Proxy561.updateUser(Unknown Source)
                              


                              And the class LoginServlet.java:
                              package vwg.audi.cancard.webservlet;
                              
                              import java.io.IOException;
                              
                              import javax.ejb.EJBAccessException;
                              import javax.servlet.ServletException;
                              import javax.servlet.http.HttpServlet;
                              import javax.servlet.http.HttpServletRequest;
                              import javax.servlet.http.HttpServletResponse;
                              
                              import org.apache.log4j.Logger;
                              import org.jboss.web.tomcat.security.login.WebAuthentication;
                              
                              import com.arjuna.ats.arjuna.recovery.Service;
                              
                              public class LoginServlet extends HttpServlet
                              {
                               private Logger log = Logger.getLogger(LoginServlet.class);
                              
                               /**
                               *
                               */
                               private static final long serialVersionUID = -5539909157863711284L;
                              
                               /**
                               * Process the HTTP Get request
                               */
                               public void doGet(HttpServletRequest request, HttpServletResponse response)
                               throws ServletException, IOException
                               {
                               serveRequest(request, response);
                               }
                              
                               /**
                               * Process the HTTP Post request
                               */
                               public void doPost(HttpServletRequest request, HttpServletResponse response)
                               throws ServletException, IOException
                               {
                               serveRequest(request, response);
                               } // doPost
                              
                               /**
                               * In dieser Methode findet die eigentliche Verarbeitung des
                               * HTTPServletRequests statt. Sie wird von den beiden public Methoden doPost
                               * und doGet aufgerufen.
                               */
                               public void serveRequest(HttpServletRequest request,
                               HttpServletResponse response) throws ServletException, IOException
                               {
                               String username = "extern.michael.obster";
                               String pass = "mypassword";
                               // login first
                               try {
                               login(username, pass);
                               }
                               catch (Exception e) {
                               log.error("Fehler:", e);
                               }
                              
                               String loginDomain = "cancardDomain";
                               String clientLoginDomain = "client-login";
                               if (log.isDebugEnabled()) {
                               log.debug("init JAASInterceptor: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
                               }
                              
                               // lets try to access ejb3
                               try {
                               ServiceLocator.getInstance().getUserService().updateUser();
                               }
                               catch (ServiceLocatorException e) {
                               log.error("ServiceLocator error:", e);
                               }
                               }
                              
                               /**
                               * Helper method for logging in
                               * @param username
                               * @param strPassword
                               * @return
                               * @throws Exception
                               */
                               private String login(String username, String strPassword) throws Exception {
                               String loginDomain = "cancardDomain";
                               String clientLoginDomain = "client-login";
                              
                               log.debug("LoginAction: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
                               try {
                               LoginFacade loginFacade = new LoginFacade(loginDomain, clientLoginDomain);
                               loginFacade.login(username, strPassword);
                               } catch (JAASLoginException jaasEx) {
                               log.info("User " + username + ": login NOT successfull! " + jaasEx.getErrorKey(), jaasEx);
                               return jaasEx.getErrorKey();
                               } catch (EJBAccessException ejbEx) {
                               //No permission for application
                               log.warn(ejbEx);
                               Exception ex = ejbEx.getCausedByException();
                               log.info("User " + username + ": login NOT successfull! " + ejbEx.getMessage(), ejbEx);
                              
                               if (ex instanceof SecurityException) {
                               return JAASConstants.NO_RIGHTS;
                               } else {
                               return JAASConstants.USER_NOT_AUTHENTICATED;
                               }
                               }
                               catch (Exception ex) {
                               log.info("User " + username + ": login NOT successfull! " + ex.getMessage(), ex);
                               throw ex;
                              // return JAASConstants.NO_RIGHTS;
                               }
                               log.info("User " + username + ": login successfull!");
                               return JAASConstants.USER_IS_VALID;
                               }
                              
                              }
                              


                              • 12. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
                                wolfgangknauf

                                Hi,

                                seems your LoginServlet calls "LoginFacade.login", but I don't know whether you use the "WebAuthentication" class in this method or not (your initial code does not do it, and I don't know whether you changed it or not). If you use "WebAuthentication", then your username/password approach should definitively work.

                                Unfortunately I cannot help you further with public key infrastructures.

                                Best regards

                                Wolfgang

                                • 13. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                                  Hi,

                                  What I have to if I want to use the WebAuthentication further? Do I have to change the complete login to Web based authentication? I've seen I need then j_security_check, but I always get then that this resource is not available from tomcat.

                                  For now I tried to use the WebAuthetication but the user is not authenticated then. I only get this error:

                                  vwg.audi.cancard.MyApplicationException: User is not authenticated or the isUserInRole check failed at vwg.audi.cancard.ui.action.Login.execute(Login.java:177) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:441) at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:280) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:243) at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:165) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:252) at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:179) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237) at
                                  ...
                                  


                                  The code I used in my Struts2 action:
                                  if(username == null || password == null)
                                   throw new RuntimeException("username or password is null");
                                   WebAuthentication pwl = new WebAuthentication();
                                   pwl.login(username, password);
                                  
                                   //Only when there is web login, does the principal be visible
                                   log.info("User Principal="+ServletActionContext.getRequest().getUserPrincipal());
                                   //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
                                   log.info("isUserInRole(Authorized User)="+ServletActionContext.getRequest().isUserInRole("AuthorizedUser"));
                                   if(ServletActionContext.getRequest().getUserPrincipal() == null || !ServletActionContext.getRequest().isUserInRole("AuthorizedUser"))
                                   throw new MyApplicationException("User is not authenticated or the isUserInRole check failed");
                                  
                                   //Log the user out
                                   pwl.logout();
                                  
                                   if(ServletActionContext.getRequest().getUserPrincipal() != null || ServletActionContext.getRequest().isUserInRole("AuthorizedUser"))
                                   throw new MyApplicationException("User is still authenticated or pass: isUserInRole(Authorized User)");
                                  


                                  In my log I see these two lines:
                                  10:21:16,515 INFO [Login] User Principal=null
                                  10:21:16,531 INFO [Login] isUserInRole(Authorized User)=false
                                  


                                  But now the output of my JAAS login module is missing. I think that this is not running anymore. Something is missing...

                                  Regards,
                                  Michael

                                  • 14. Re: Caller unauthorized on using a ejb3 statetlesssessionbea

                                    Ok, back to the LoginFacade. I did some more testing and tried to use the code in a JDK5 and JBoss 4.2.3 environment. There I get also an access exception on the EJB3 bean. After putting some log.info statements into my JAAS login module I git following output:

                                    11:34:59,091 INFO [SpiiderLoginModule] Groups for User: 1
                                    11:34:59,106 INFO [SpiiderLoginModule] Principal: AdminUser
                                    11:34:59,106 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions,
                                     principal=extern.michael.obster, requiredRoles=[RegularUser, AdminUser, interna
                                    l], principalRoles=null
                                    


                                    What I see, the user has the role AdminUser, but when the access to the EJB3 is checked the principalRoles get lost. Has anyone an idea wgere this behaviour can come from.

                                    Code-Snippets:
                                    SpiiderLoginModule:
                                    ...
                                    protected Group[] getRoleSets() throws LoginException {
                                     if (userIdentifier == null)
                                     return getDefaultRoles();
                                    
                                     // add the useridentifier to the subject
                                     subject.getPublicCredentials().add(userIdentifier);
                                     String gid = userIdentifier.getGid();
                                     if (trace)
                                     log.info("getRoleSets using rolesQuery: " + rolesQuery
                                     + ", gid: " + gid);
                                     try {
                                     Group roleSets[] = Util.getRoleSets(gid, dsJndiName,
                                     rolesQuery, this, suspendResume);
                                    
                                     log.info("Groups for User: " + roleSets.length);
                                     for (Group role : roleSets) {
                                     log.info("Principal: " + role.getName());
                                     }
                                    
                                     if (roleSets.length == 0)
                                     return getDefaultRoles();
                                    
                                     return roleSets;
                                     } catch (FailedLoginException fe) {
                                     // this exception is thrown if the user is not found in the roles-link-table
                                     return getDefaultRoles();
                                     }
                                     }
                                    ...
                                    


                                    LoginFacade:
                                    /**
                                     *
                                     */
                                    package vwg.audi.cancard.business;
                                    
                                    import javax.naming.AuthenticationException;
                                    import javax.security.auth.login.LoginContext;
                                    import javax.security.auth.login.LoginException;
                                    
                                    import org.apache.log4j.Logger;
                                    import org.jboss.security.auth.callback.UsernamePasswordHandler;
                                    
                                    import vwg.audi.cancard.JAASLoginException;
                                    import vwg.audi.cancard.ui.JAASConstants;
                                    
                                    /**
                                     * LoginFacade
                                     *
                                     * @author Michael Obster (nospam.michael.obster@epos-cat.de)
                                     */
                                    public class LoginFacade {
                                     private Logger log = Logger.getLogger(this.getClass());
                                    
                                     private LoginContext lc = null;
                                     private String loginContext = "";
                                     private String clientContext = "";
                                    
                                     public LoginFacade(String loginContext, String clientContext) {
                                     this.loginContext = loginContext;
                                     this.clientContext = clientContext;
                                     }
                                    
                                     /**
                                     * Real login, used by GUI.
                                     *
                                     * @param username
                                     * @param strPassword
                                     * @throws Exception
                                     */
                                     public void login(String username, String strPassword) throws Exception{
                                     char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
                                     UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
                                    
                                     lc = null;
                                     try {
                                     //Login for usercheck
                                     lc = new LoginContext(loginContext, handler);
                                     lc.login();
                                    
                                     } catch (Exception e) {
                                     Throwable t = e;
                                     while (t.getCause() != null) {
                                    
                                     if (t instanceof AuthenticationException) {
                                     break;
                                     }
                                     t = t.getCause();
                                     }
                                    
                                     //Analyse AuthenticationException
                                     if (t instanceof AuthenticationException) {
                                     AuthenticationException ex = (AuthenticationException)t;
                                     String emsg = ex.getExplanation();
                                     if (!hasValue(emsg)) {
                                     emsg = "";
                                     }
                                     String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
                                     if (emsg.indexOf("password expired") > 0) {
                                     errorhint = JAASConstants.PASSWORD_EXPIRED;
                                     } else if (emsg.indexOf("error code 49") > 0) {
                                     errorhint = JAASConstants.PASSWORD_INVALID;
                                     } else if (emsg.indexOf("error code 19") > 0) {
                                     errorhint = JAASConstants.USER_REVOKED;
                                     } else if (emsg.indexOf("error code 32") > 0) {
                                     errorhint = JAASConstants.USER_INVALID;
                                     }
                                     log.debug(username + " " + ex.getExplanation() + " hint: " + errorhint);
                                     throw new JAASLoginException(errorhint, ex);
                                    
                                     } else if (t instanceof LoginException) {
                                     LoginException ex = (LoginException)t;
                                     String emsg = ex.getMessage();
                                     if (!hasValue(emsg)) {
                                     emsg = "";
                                     }
                                     String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
                                     if (emsg.indexOf("Password Required") > 0) {
                                     errorhint = JAASConstants.PASSWORD_INVALID;
                                     }
                                     log.debug(username + " " + emsg + " " + errorhint);
                                     throw new JAASLoginException(errorhint, ex);
                                     } else {
                                     log.debug(username + " " + t.getMessage() + " " + JAASConstants.UNEXPECTED_ERROR);
                                     throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR, t);
                                     }
                                     }
                                     }
                                    
                                     /**
                                     * Background Login, set user and password from filter.
                                     */
                                     public void clientLogin(String username, String strPassword) throws JAASLoginException {
                                     char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
                                     UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
                                     try {
                                     lc = new LoginContext(clientContext, handler);
                                     lc.login();
                                     } catch (LoginException e) {
                                    
                                     throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
                                     }
                                     }
                                    
                                     public void logout() throws JAASLoginException {
                                     if (lc == null)
                                     return;
                                    
                                     try {
                                     lc.logout();
                                     } catch (LoginException e) {
                                     log.error("JAAS-Logout failed!", e);
                                     throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
                                     }
                                     }
                                    
                                     /**
                                     * Helper function tests if Strings have a value.
                                     *
                                     * @param s - the String to test.
                                     * @return true or false
                                     */
                                     boolean hasValue(String s) {
                                     return s != null && s.trim().length() != 0 ? true : false;
                                     }
                                    }
                                    


                                    And a filter which does following:
                                    /**
                                     *
                                     */
                                    package vwg.audi.cancard.cfg;
                                    
                                    import java.io.IOException;
                                    import java.util.ArrayList;
                                    import java.util.Enumeration;
                                    
                                    import javax.servlet.Filter;
                                    import javax.servlet.FilterChain;
                                    import javax.servlet.FilterConfig;
                                    import javax.servlet.ServletException;
                                    import javax.servlet.ServletRequest;
                                    import javax.servlet.ServletResponse;
                                    import javax.servlet.http.HttpServletRequest;
                                    
                                    import org.apache.log4j.Logger;
                                    
                                    import vwg.audi.cancard.JAASLoginException;
                                    import vwg.audi.cancard.business.LoginFacade;
                                    import vwg.audi.cancard.ui.JAASConstants;
                                    
                                    /**
                                     * JAASLoginFilter
                                     *
                                     */
                                    public class JAASLoginFilter implements Filter {
                                     private Logger log = Logger.getLogger(this.getClass());
                                    
                                     FilterConfig filterConfig;
                                    
                                     ArrayList<String> ignorePath;
                                    
                                     String loginDomain = "";
                                     String clientLoginDomain = "";
                                    
                                     @SuppressWarnings("unchecked")
                                     public void init(FilterConfig filterConfig) throws ServletException {
                                    
                                    
                                     this.filterConfig = filterConfig;
                                     ignorePath = new ArrayList<String>();
                                     Enumeration enumeration = filterConfig.getInitParameterNames();
                                     while (enumeration.hasMoreElements()) {
                                     String initParameterName = (String) enumeration.nextElement();
                                     ignorePath.add(filterConfig.getInitParameter(initParameterName));
                                     }
                                    
                                     loginDomain = filterConfig.getServletContext().getInitParameter("jaasLoginDomain");
                                     clientLoginDomain = filterConfig.getServletContext().getInitParameter("jaasClientLoginDomain");
                                     log.debug("init JAASFilter: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
                                     }
                                    
                                     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
                                    
                                     if (req instanceof HttpServletRequest) {
                                     HttpServletRequest request = (HttpServletRequest) req;
                                     String servletPath = request.getServletPath();
                                     String pathInfo = request.getPathInfo();
                                     String path = (servletPath == null ? "" : servletPath)
                                     + (pathInfo == null ? "" : pathInfo);
                                     log.debug(path);
                                     log.debug("IM FILTER");
                                     LoginFacade loginFacade = new LoginFacade(loginDomain, clientLoginDomain);
                                    
                                    
                                     if (!ignorePath.contains(path)
                                     && !JAASConstants.USER_IS_VALID.equals(request
                                     .getSession().getAttribute(
                                     JAASConstants.USER_VALIDITY))) {
                                     log.info("requested path: " + path + " ignored: " + ignorePath.contains(path));
                                     throw new JAASLoginException();
                                     }
                                    
                                     //Perform client-login
                                     if (!ignorePath.contains(path)) {
                                     String username = (String)request.getSession().getAttribute(JAASConstants.USERNAME);
                                     String strPassword = (String)request.getSession().getAttribute(JAASConstants.PASSWORD);
                                    
                                     // Classic login by username and password
                                     loginFacade.clientLogin(username, strPassword);
                                    
                                     }
                                    
                                     chain.doFilter(req, res);
                                    
                                     loginFacade.logout();
                                     } else
                                     throw new JAASLoginException("Unsupported request");
                                    
                                     }
                                    
                                     public void destroy() {
                                    
                                     }
                                    
                                    }
                                    


                                    1 2 Previous Next