6 Replies Latest reply on Oct 2, 2002 8:26 PM by randahl

How to log in from an MBean

randahl Oct 2, 2002 12:25 PM

Short version of this post: Please tell me how to log in from an MBean so I can get access to my secured EJBs.

Longer version of this post:

Since I would like to access my secured EJBs, I need to log in. So I have carried out a typical Jaas client login from within my MBean like this:

LoginContext loginContext = new LoginContext(
"myDomain",
new ServerCallbackHandler("TestUser", new char[]{'1', '2', '3', '4'})
);
loginContext.login();

This login has no effect, however, because I still get an EJBException when trying to access my EJBs.

I find this strange, because I am certain that this code gets access to the "myDomain". I have no "other" domain specified and according to docs Jaas would then throw a LoginException if it could not find "myDomain". I also know that the credentials work for "myDoman" because I use those credentials from a Swing client which is capable of logging in and accessing the EJBs.

The only problem I can think of is the fact that my Swing client is capable of logging in because I put a .java.login.config in my user dir. In my code, I guess I expect my MBean to be using that .java.login.config - there is no other (I have not deployed any similar settings along with my MBean)

1. Has anyone got a clue why this does not work?
2. Are there any alternative methods of logging in from an MBean? - Like calling some JBoss object directly instead of using JAAS, or some other way?

Any help will be highly appreciated.

Thanks
Randahl

1. Re: How to log in from an MBean

adrian.brock Oct 2, 2002 12:46 PM (in response to randahl)

Are you sure you're login is on the same thread
as the ejb access?

For easier access look at org.jboss.security.SecurityAssociation it has
a ThreadLocal for the security information.
Yor Swing client probably uses the JVM wide
configuration of this class.

Depending on how the MBean is invoked, you might
want to save the previous information and restore it
after the EJB invocation?

Regards,
Adrian
Actions
2. Re: How to log in from an MBean

randahl Oct 2, 2002 2:25 PM (in response to randahl)

Thanks, Adrian.

I am absolutely sure I am logging in from the same thread as where I am accessing the EJBs from. From my MBean I have started 1 thread which does both the logging in and the EJB access (as this is premature code all of this even happens in the same method, the run() method).

I will look into the Class you are mentioning.

Thanks
Randahl
Actions
3. Re: How to log in from an MBean

randahl Oct 2, 2002 2:51 PM (in response to randahl)

A call to SecurityAssociation.getPrincipal() returns null both before and after the login… any ideas?

Randahl
Actions
4. Re: How to log in from an MBean

randahl Oct 2, 2002 6:52 PM (in response to randahl)

Problem solved! As written in earlier posts I tried to use my own JAAS login module configuration "myDomain" for the MBean login. This is NOT in accordance with page 276 of the JBossBook_30x (see below... "the only supported mechanism").

Solution: I simply switched from "myDomain" to "client-login" when creating my LoginContext.

However, I am curious why my original solution is not allowed by JBoss? is that a bug or a feature? - I must admit that the JBoss way works, so no problem there... still, why cannot I use my own login module configuration which carries out _real_ authentication rather than just setting the Principal (as the client-login module configuration does).

Randahl

Extract from JBossBook_30x:

The ClientLoginModule is an implementation of LoginModule for use by JBoss clients for the estab-lishment of the caller identity and credentials. This simply sets the org.jboss.security.SecurityAssoci-ation.principal to the value of the NameCallback filled in by the CallbackHandler, and the org.jboss.security.SecurityAssociation.credential to the value of the PasswordCallback filled in by the CallbackHandler. This is the only supported mechanism for a client to establish the current thread's caller.
Actions
5. Re: How to log in from an MBean

adrian.brock Oct 2, 2002 7:53 PM (in response to randahl)

The ClientLoginModule does NO Authentication.
It is a device to associate the thread with the security
information.
The Authentication is done during the ejb invocation
using information established by the ClientLoginModule.

You can configure your own policy in login-config.xml
that has multiple login modules. This would allow you
to do real authentication up-front in the MBean.
Just make sure the ClientLoginModule is at the end of the
chain so that the thread is associated with the
principal/credential for later re-authentication by the
EJB.

Regards,
Adrian
Actions
6. Re: How to log in from an MBean

randahl Oct 2, 2002 8:26 PM (in response to randahl)

Thanks, Adrain. That is a really good idea - I will do that. I really would prefer having a full up front authentication rather than just setting the credentials - it is often better to choose fail-fast solutions.

However, instead of chaining modules, I guess I could just do the credential propagation and then invoke an EJB method to provoke authentication failure.

I need to try out these options.

Thanks again!

Randahl
Actions

Go to original post