-
15. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
wolfgangknauf Oct 13, 2009 5:50 AM (in response to praenti)Hi Michael,
I hope that I am not too annoying by insisting on the use of "WebAuthentication", but I still think that your use case should basically work with it. I am not sure whether the problems result from usage of it in the Struts2 action or whether they are a matter of some other error.
First of all: to get the servlet request inside your Action, implement the interface "org.apache.struts2.interceptor.ServletRequestAware" instead of calling "ServletActionContext.getRequest()". Maybe the latter creates new request instance where the login information is missing.
To test the login stuff, I would advice you to create a complete new web client for your app without struts, and use a plain servlet to perform a login in "doGet" or "doPost". If this works, then you know that your login module is OK and you can continue with your "real" app.
Your concerns about "j_security_check" and form based login: take a look at this link: http://roneiv.wordpress.com/2008/03/15/using-webauthentication-in-jboss/ . Though it is for JSF, it shows how to use a login form with a custom login servlet.
Hope this helps
Wolfgang -
16. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
praenti Oct 13, 2009 7:51 AM (in response to praenti)Hmm. Change that.
But which policy does the WebAuthentication use? I've changed that but my JAAS SpiiderLoginModule is not executed anymore :-/. I think that is a configuration problem. -
17. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
praenti Oct 14, 2009 8:07 AM (in response to praenti)ok. WebAuthentication is working. I had to create the jboss-web.xml and added there the security-domain. Now my Login module is running.
But the original error is still present. Using a Servlet which does WebAuthentication.
The error:13:59:50,370 INFO [SpiiderLoginModule] LdapLoginModule, dsJndiName=cancardviewe rDS 13:59:50,370 INFO [SpiiderLoginModule] rolesQuery=SELECT u.userid, r."role" FRO M "security".application_user u, "security".application_role r, "security".user_ role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role" 13:59:50,370 INFO [SpiiderLoginModule] defaultRole=RegularUser 13:59:50,370 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou =xxx,ou=People,ou=Access 13:59:50,370 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.nami ng.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS, rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "secur ity".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=exte rn.michael.obster, ou=xxx,ou=People,ou=Access, jboss.security.security_domai n=cancardDomain, java.naming.provider.url=ldap://xxxxxxx, java.namin g.security.authentication=simple, java.naming.security.credentials=***, principa l.dn.groups=ou=xxxxxx ,ou=People,ou=Access:ou=External,ou=People,ou=Access} 13:59:50,401 INFO [SpiiderLoginModule] Failed to log into LDAP server. [LDAP: e rror code 32 - No Such Object] 13:59:50,401 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou =External,ou=People,ou=Access 13:59:50,401 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.nami ng.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS, rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "secur ity".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=exte rn.michael.obster, ou=External,ou=People,ou=Access, jboss.security.security_doma in=cancardDomain, java.naming.provider.url=ldap://xxxxxxxx, java.nami ng.security.authentication=simple, java.naming.security.credentials=***, princip al.dn.groups=ou=xxxxxx ,ou=People,ou=Access:ou=External,ou=People,ou=Access} 13:59:50,417 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ld ap.InitialLdapContext@1a21699 13:59:50,480 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.u serid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.r ole_id = r."role", gid: 99A44E672EA8C49B 13:59:50,511 DEBUG [SpiiderLoginModule] Principal: AdminUser 13:59:50,542 INFO [LoginServlet] Login sucessfull 13:59:51,011 ERROR [[LoginServlet]] Servlet.service() for servlet LoginServlet t hrew exception javax.ejb.EJBAccessException: Caller unauthorized at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(Ro leBasedAuthorizationInterceptorv2.java:199) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. java:102) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3Au thenticationInterceptorv2.java:186) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. java:102) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterce ptor.java:41) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. java:102) at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContaine rShutdownInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. java:102) at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invo ke(CurrentInvocationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. java:102) at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessCo ntainer.java:421) at org.jboss.ejb3.remoting.IsLocalInterceptor.invokeLocal(IsLocalInterce ptor.java:85) at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor. java:72) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. java:102) at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62) at $Proxy344.invoke(Unknown Source) at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl erBase.invoke(SessionProxyInvocationHandlerBase.java:207) at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl erBase.invoke(SessionProxyInvocationHandlerBase.java:164) at $Proxy343.getAllRoles(Unknown Source) at vwg.audi.cancard.webservlet.LoginServlet.serveRequest(LoginServlet.ja va:61) at vwg.audi.cancard.webservlet.LoginServlet.doGet(LoginServlet.java:29) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFi lter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:235) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:191) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Securit yAssociationValve.java:190) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv e.java:92) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.proce ss(SecurityContextEstablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invok e(SecurityContextEstablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC onnectionValve.java:158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:330) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :829) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ss(Http11Protocol.java:598) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44 7) at java.lang.Thread.run(Thread.java:619)
The used servlet LoginServlet:package vwg.audi.cancard.webservlet; import java.io.IOException; import javax.ejb.EJBAccessException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.jboss.web.tomcat.security.login.WebAuthentication; public class LoginServlet extends HttpServlet { private Logger log = Logger.getLogger(LoginServlet.class); /** * */ private static final long serialVersionUID = -5539909157863711284L; /** * Process the HTTP Get request */ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { serveRequest(request, response); } /** * Process the HTTP Post request */ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { serveRequest(request, response); } // doPost /** * In dieser Methode findet die eigentliche Verarbeitung des * HTTPServletRequests statt. Sie wird von den beiden public Methoden doPost * und doGet aufgerufen. */ public void serveRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = "extern.michael.obster"; String pass = "myPassword"; WebAuthentication webAuthentication = new WebAuthentication(); if (webAuthentication.login(username, pass)) { log.info("Login sucessfull"); } else { log.info("Login failed"); } try { ServiceLocator.getInstance().getUserService().getAllRoles(); } catch (ServiceLocatorException e) { e.printStackTrace(); } webAuthentication.logout(); } }
Any idea what the problem is?
Best regards,
Michael -
18. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
wolfgangknauf Oct 14, 2009 11:40 AM (in response to praenti)Hi Michael,
I am sorry, but I don't have further ideas. Might be a problem of the config, or might be a JBoss problem.
Your console log contained only output of your Spiider login module and the servlet, but no output of the JBoss security layer. If you did not do so already: activate this logging (sticky post "FAQ" in this forum, question 4). Maybe this provides more information.
Try to create a very simple sample app (just the web client, the EJB and the login module) which reproduces the issue. Then I might take a look at it. Well, the LDAP login won't be reproducable at my site, but maybe the problem also occurs with some other login module.
Best regards
Wolfgang -
19. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
praenti Oct 21, 2009 4:48 AM (in response to praenti)Hi Wolfgang,
yes I've enabled the security layer debugging. There is no more output on my JBoss then that waht I've posted already. I don't know what you have expected.
After trying a simple Servlet application with WebAuthentication as described in the blog, the same error "Caller unauthorized" comes up on the access of an EJB3 bean when there is a @RunAs annotation.
So for now I continued with checking if the EJB3 context gets the user authentication correctly.
Now I have tried to see what happens when I do alog.info(request.getUserPrincipal()); log.info(request.getRemoteUser()); log.info(request.isUserInRole("AdminUser"));
The results are:extern.michael.obster extern.michael.obster false
The conclusion from my point is that there are 3 possible errors:
1. The authentication gets lost, so the request don't know the role of the user.
2. The JAAS gets confused about which ID has to be used to get the role for the user
3. The roles query has a wrong result.
After some debugging I found out, that my roles query returns a result with some other columns the JAAS system does not expect.
So correcting the roles query fixed my problem.
But thank you for your help. It was not useless, because I got some more knowlegde how to debug the security layer ;-).
For people who have the same problem, check if your result from the roles query contains the columns "name" (with the name of the role) and "role_group"!
Cheers,
Michael -
20. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
wolfgangknauf Oct 21, 2009 5:20 AM (in response to praenti)Hi Michael,
glad you solved your problem. That was a nasty "bug" ;-). If you see a chance that JBoss might error check this condition, you might raise a JIRA issue. But it happened in your custom login module, didn't it? So maybe no JBoss error ;-)?
Best regards
Wolfgang