13 Replies Latest reply on Jul 8, 2008 4:40 AM by jaikiran

How to authenticate to the JBoss server from a desktop (Swin

marcos_aps Jul 1, 2008 7:52 AM

- JBoss 4.2.2.GA
- Java 5 Update 15

Hello, everybody!

I have already finished my web application using the JBoss server. It's already deployed, running and working well. This web application uses the FORM authentication method to authenticate users (so users must provide a user name and password to log in), being helped by a custom login module that does the real authentication behind the scenes. All the JavaBeans and entity beans that this web application uses are in a EJB jar file deployed on the same server (so the business logic is separated from the presentation).

But now I want to use this same EJB jar file that contains the business logic
from desktop applications (Swing clients). I suppose (correct me if I'm wrong) that in order to make method calls on the session beans from the Swing clients, these Swing clients also have to be authenticated on the server, like the web application is. But the problem is that I have no idea how to authenticate from desktop applications, as the process to do that could be very different from the web applications authentication process. I also would like to know how to log out from the desktop applications.

Below are some extracts from my web application related to the authentication. I think that showing this here is really not necessary, but I chose to do so in the hope that it can be helpful to you to find an answer to me and to show you more precisely how I'm authenticating from the web application.

--------------------------------------------------------------------------------

IN THE WEB APPLICATION:
=================

web.xml
----------
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>Laboratorio de Informatica</display-name>



<security-constraint>
<web-resource-collection>
<web-resource-name>restrito</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRADOR</role-name>
<role-name>USUARIO</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>permitido</web-resource-name>
<url-pattern>/css/*</url-pattern>
<url-pattern>/script/*</url-pattern>
<url-pattern>/imagens/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/errologin.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>ADMINISTRADOR</role-name>
</security-role>
<security-role>
<role-name>USUARIO</role-name>
</security-role>


</web-app>

jndi.properties
-----------------
java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
java.naming.provider.url=jnp://localhost:1099

jboss-web.xml
-----------------
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/laboratorio-informatica</security-domain>
</jboss-web>

login.jsp
----------

<h5>Informe o seu nÃƒÂƒÃ‚Âºmero de matrÃƒÂƒÃ‚Âcula e senha para acessar o sistema.</h5>

MatrÃƒÂƒÃ‚Âcula:

Senha:

IN THE EJB APPLICATION:
=================

ModuloLoginFuncionarios.java (this is the custom login module)
I'm showing you here just the methods that I override
--------------------------------------------------------------

package br.urca.www.laboratorioinformatica.seguranca.jboss;

import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
// other imports...

public class ModuloLoginFuncionarios extends UsernamePasswordLoginModule
{
 @Override
 protected String getUsersPassword() throws LoginException
 {
 // code...
 }

 @Override
 protected boolean validatePassword(String inputPassword, String expectedPassword)
 {
 // code...
 }

 @Override
 protected Throwable getValidateError()
 {
 // code...
 }

 @Override
 protected Group[] getRoleSets() throws LoginException
 {
 // code...
 }
}

IN THE SERVER:
===========

C:\jboss-4.2.2.GA\server\default\conf\login-config.xml
---------------------------------------------------------------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">





<application-policy name="laboratorio-informatica">

<login-module code="br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios"
flag="required" />

</application-policy>

C:\jboss-4.2.2.GA\server\default\deploy\laboratorio-informatica-ds.xml
-----------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>


<local-tx-datasource>
<jndi-name>LaboratorioInformaticaDS</jndi-name>
<connection-url>jdbc:sqlserver://server_name;databaseName=database_name</connection-url>
<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
<user-name>user_name</user-name>
password


<type-mapping>MS SQLSERVER2000</type-mapping>

</local-tx-datasource>

--------------------------------------------------------------------------------

So, I hope to get your help about this subject.

Thank you very much.

Marcos

1. Re: How to authenticate to the JBoss server from a desktop (

jaikiran Jul 2, 2008 1:45 AM (in response to marcos_aps)

A couple of years ago, i had written the steps for programmatic JAAS login to access secure EJBs in JBoss http://jaitechwriteups.blogspot.com/2006/07/accessing-secure-ejb-through.html. See if it is of any help.
Actions
2. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 2, 2008 7:37 AM (in response to marcos_aps)

"jaikiran" wrote:
A couple of years ago, i had written the steps for programmatic JAAS login to access secure EJBs in JBoss http://jaitechwriteups.blogspot.com/2006/07/accessing-secure-ejb-through.html. See if it is of any help.

Thank you for your article, Jaikiran. I've just seen your answer and I'm going to read the article right now before I proceed. Yesterday, while I was waiting for an answer I found this article:

http://www.informit.com/articles/article.aspx?p=394898

It's simple and it also uses JAAS like I'm using in the web application. I was going to use, but I'll read what you wrote before. What do you think about the article I found? Does it can help too?

Marcos
Actions
3. Re: How to authenticate to the JBoss server from a desktop (

jaikiran Jul 2, 2008 8:26 AM (in response to marcos_aps)

"Marcos_APS" wrote:
Yesterday, while I was waiting for an answer I found this article:

http://www.informit.com/articles/article.aspx?p=394898

What do you think about the article I found? Does it can help too?

Yes, that article too explains programmatic JAAS login to access beans. That's definitely going to help.
Actions

4. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 2, 2008 3:11 PM (in response to marcos_aps)

Hello, Jaikiran!

I'm following the article I found and yours. This is how I'm logging in.

private LoginContext fContextoLogin;

public void conectar(String nomeUsuario, String senha) throws Exception
{
 String arquivoConfiguracao = "jaas.config";

 System.setProperty(
 "java.security.auth.login.config", arquivoConfiguracao);

 // Is there a better way the configure the properties bellow?
 System.setProperty(Context.INITIAL_CONTEXT_FACTORY,
 "org.jnp.interfaces.NamingContextFactory");
 System.setProperty(Context.URL_PKG_PREFIXES,
 "org.jboss.naming:org.jnp.interfaces");
 System.setProperty(Context.PROVIDER_URL,
 "jnp://localhost:1099"); // for now I'm just testing locally

 CallbackHandler gerenciador =
 new UsernamePasswordHandler(nomeUsuario, senha);
 fContextoLogin = new LoginContext("login", gerenciador);
 fContextoLogin.login();
}

but I'm getting the error bellow:

javax.security.auth.login.LoginException: Erro ao localizar fonte de dados: 'java:/LaboratorioInformaticaDS'.
 at br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios$Dados.<init>(ModuloLoginFuncionarios.java:173)
 at br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios$Dados.<init>(ModuloLoginFuncionarios.java:158)
 at br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios.getUsersPassword(ModuloLoginFuncionarios.java:41)
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at javax.security.auth.login.LoginContext.invoke(Unknown Source)
 at javax.security.auth.login.LoginContext.access$000(Unknown Source)
 at javax.security.auth.login.LoginContext$4.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
 at javax.security.auth.login.LoginContext.login(Unknown Source)
 at br.urca.www.laboratorioinformatica.desktop.dados.ejb.ConexaoEJB.conectar(ConexaoEJB.java:38)
 at br.urca.www.laboratorioinformatica.desktop.Lab$Login.login(Lab.java:21)
 at br.urca.www.desktop.Sistema$DialogoLogin$DlgLogin.conectar(Sistema.java:219)
 at br.urca.www.desktop.Sistema$DialogoLogin$DlgLogin.access$0(Sistema.java:201)
 at br.urca.www.desktop.Sistema$DialogoLogin$DlgLogin$2.actionPerformed(Sistema.java:179)
 at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
 at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
 at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
 at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
 at javax.swing.AbstractButton.doClick(Unknown Source)
 at javax.swing.plaf.basic.BasicRootPaneUI$Actions.actionPerformed(Unknown Source)
 at javax.swing.SwingUtilities.notifyAction(Unknown Source)
 at javax.swing.JComponent.processKeyBinding(Unknown Source)
 at javax.swing.KeyboardManager.fireBinding(Unknown Source)
 at javax.swing.KeyboardManager.fireKeyboardAction(Unknown Source)
 at javax.swing.JComponent.processKeyBindingsForAllComponents(Unknown Source)
 at javax.swing.JComponent.processKeyBindings(Unknown Source)
 at javax.swing.JComponent.processKeyEvent(Unknown Source)
 at java.awt.Component.processEvent(Unknown Source)
 at java.awt.Container.processEvent(Unknown Source)
 at java.awt.Component.dispatchEventImpl(Unknown Source)
 at java.awt.Container.dispatchEventImpl(Unknown Source)
 at java.awt.Component.dispatchEvent(Unknown Source)
 at java.awt.KeyboardFocusManager.redispatchEvent(Unknown Source)
 at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent(Unknown Source)
 at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent(Unknown Source)
 at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions(Unknown Source)
 at java.awt.DefaultKeyboardFocusManager.dispatchEvent(Unknown Source)
 at java.awt.Component.dispatchEventImpl(Unknown Source)
 at java.awt.Container.dispatchEventImpl(Unknown Source)
 at java.awt.Window.dispatchEventImpl(Unknown Source)
 at java.awt.Component.dispatchEvent(Unknown Source)
 at java.awt.EventQueue.dispatchEvent(Unknown Source)
 at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
 at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
 at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
 at java.awt.Dialog$1.run(Unknown Source)
 at java.awt.Dialog$3.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at java.awt.Dialog.show(Unknown Source)
 at java.awt.Component.show(Unknown Source)
 at java.awt.Component.setVisible(Unknown Source)
 at java.awt.Window.setVisible(Unknown Source)
 at java.awt.Dialog.setVisible(Unknown Source)
 at br.urca.www.desktop.Sistema$DialogoLogin.login(Sistema.java:82)
 at br.urca.www.desktop.Sistema$DialogoLogin.access$0(Sistema.java:79)
 at br.urca.www.desktop.Sistema$1.run(Sistema.java:48)
 at java.awt.event.InvocationEvent.dispatch(Unknown Source)
 at java.awt.EventQueue.dispatchEvent(Unknown Source)
 at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
 at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
 at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
 at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
 at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
 at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.naming.NameNotFoundException: LaboratorioInformaticaDS not bound
 at org.jnp.server.NamingServer.getBinding(NamingServer.java:529)
 at org.jnp.server.NamingServer.getBinding(NamingServer.java:537)
 at org.jnp.server.NamingServer.getObject(NamingServer.java:543)
 at org.jnp.server.NamingServer.lookup(NamingServer.java:296)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
 at sun.rmi.transport.Transport$1.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.rmi.transport.Transport.serviceCall(Unknown Source)
 at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
 at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
 at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
 at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
 at sun.rmi.server.UnicastRef.invoke(Unknown Source)
 at org.jnp.server.NamingServer_Stub.lookup(Unknown Source)
 at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:667)
 at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:627)
 at javax.naming.InitialContext.lookup(Unknown Source)
 at br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios$Dados.<init>(ModuloLoginFuncionarios.java:165)
 ... 68 more

The datasource is not being found. I'm using the same datasource that I use in the web application and it is working there. What am I doing wrong or missing?

Marcos

5. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 2, 2008 3:25 PM (in response to marcos_aps)

Just an edit of the last post:

private Dados(String sql) throws LoginException
{
 final String nomeFonteDados "java:/LaboratorioInformaticaDS";
 try
 {
 InitialContext contexto = new InitialContext();
 // The error happens in the line bellow, after fContextoLogin.login();
 DataSource fonteDados =
 (DataSource) contexto.lookup(nomeFonteDados);
 fConexao = fonteDados.getConnection();
 fInstrucao = fConexao.prepareStatement(sql);
 fInstrucao.setString(1, getUsername());
 fDados = fInstrucao.executeQuery();
 }
 catch (NamingException ex)
 {
 LoginException excecao = new LoginException(
 "Erro ao localizar fonte de dados: '" + nomeFonteDados + "'.");
 excecao.initCause(ex);
 throw excecao;
 }
 catch (SQLException ex)
 {
 fechar();
 LoginException excecao = new LoginException("Erro de SQL.");
 excecao.initCause(ex);
 throw excecao;
 }
}

Marcos

6. Re: How to authenticate to the JBoss server from a desktop (

jaikiran Jul 3, 2008 1:33 AM (in response to marcos_aps)

From the client, are you trying to connect to a database using a datasource which is deployed on JBoss server? If yes, then you won't have access to the java: namespace to which the datasource is bound. See this for more details http://wiki.jboss.org/wiki/HowCanIAccessADataSourceFromAClient

In the articles that you are reading, we are using just a ClientLoginModule to pass on the credentials to the server. The server will then do the authentication and authorization when the bean is being accessed.
Actions

7. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 3, 2008 7:53 AM (in response to marcos_aps)

"jaikiran" wrote:
From the client, are you trying to connect to a database using a datasource which is deployed on JBoss server?

Yes. As I showed in the beginning I have a datasource deployed on the server. Here it is again:

C:\jboss-4.2.2.GA\server\default\deploy\laboratorio-informatica-ds.xml
 ----------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: mssql-ds.xml 61002 2007-02-28 16:13:00Z weston.price@jboss.com $ -->
<datasources>
 <local-tx-datasource>
 <jndi-name>LaboratorioInformaticaDS</jndi-name>
 <connection-url>jdbc:sqlserver://server_name;databaseName=database_name</connection-url>
 <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
 <user-name>user_name</user-name>
 <password>password</password>
 <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
 <metadata>
 <type-mapping>MS SQLSERVER2000</type-mapping>
 </metadata>
 </local-tx-datasource>
</datasources>

I access this datasource from my custom login module that I have in the EJB jar application also deployed on the server.

Here's how the login module is configured on the server:

C:\jboss-4.2.2.GA\server\default\conf\login-config.xml
 ------------------------------------------------------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
 "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<!-- other configuration... -->

<policy>
 <!-- other configuration... -->

 <application-policy name="laboratorio-informatica">
 <authentication>
 <login-module code="br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios"
 flag="required" />
 </authentication>
 </application-policy>
</policy>

And here's where the error is happening in the login module when it is accessed from the client application:

private Dados(String sql) throws LoginException
{
 final String nomeFonteDados = "java:/LaboratorioInformaticaDS";
 try
 {
 InitialContext contexto = new InitialContext();
 // Error in the line bellow, in the lookup
 DataSource fonteDados =
 (DataSource) contexto.lookup(nomeFonteDados);
 fConexao = fonteDados.getConnection();
 fInstrucao = fConexao.prepareStatement(sql);
 fInstrucao.setString(1, getUsername());
 fDados = fInstrucao.executeQuery();
 }
 catch (NamingException ex)
 {
 // ...
 }
 catch (SQLException ex)
 {
 // ...
 }
}

All this thing is working in the web application. I can understand that in the web application being executed by JBoss the configuration is passed to the InitialContext automatically by JBoss because it is configured in the web application itself because of this file that exists in the web application and that JBoss uses it:

jndi.properties
 ---------------
java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
java.naming.provider.url=jnp://localhost:1099

But there's no such a configuration in the client application, so JBoss can't pass all this information to the InitialContext when the login module is executed from the client application.

I really would like to have a solution to this as I need to execute the same authentication process that I execute in the web application in the client application. I want to use the same custom login module.

What is interesting is that when I comment the login line in the client application:

CallbackHandler gerenciador =
 new UsernamePasswordHandler(nomeUsuario, senha);
fContextoLogin = new LoginContext("login", gerenciador);
//fContextoLogin.login();

and later I execute a call on a bean method, even if I passed an invalid username and password, the call works. That's really whant I don't want. I want to authenticate with real users. I think that if we can make the login method of the LoginContext works, the problem will be solved.

Can we have a solution to this?

Marcos

8. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 4, 2008 7:26 AM (in response to marcos_aps)
I changed the login module that I was using from this (my custom login module):

jaas.config login { br.urca.www.laboratorioinformatica.seguranca.jboss.ModuloLoginFuncionarios required; };

to this:

jaas.config login { org.jboss.security.ClientLoginModule required; };

Now I'm able to login 'normally' using loginContext.login(). But JBoss is now accepting any user I pass in and I suppose this is really not a good thing at the point of security. I would like to keep using my custom login module as I use in the web application, but there's the issue of the InitialContext that can't find the JNDI configuration from the client application.

Please, can someone help me with this issue, to find a solution to this. I would accept a workaround if it doesn't compromise the security of my web application, because the login module is also used by the web application. This issue is of paramount importance to me.

Thank you very much.

Marcos
Actions
9. Re: How to authenticate to the JBoss server from a desktop (

jaikiran Jul 4, 2008 7:37 AM (in response to marcos_aps)

Marcos,

I could not get enough time to look through what you posted earlier. Sorry about that.

But JBoss is now accepting any user I pass in

How have you secured your EJBs? Are you using a jboss.xml (similar to jboss-web.xml) to specify the security domain? And is this EJB2.x or EJB3.
Actions
10. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 4, 2008 7:58 AM (in response to marcos_aps)

"jaikiran" wrote:
Marcos,
I could not get enough time to look through what you posted earlier. Sorry about that.

Never mind, Jaikiran.

"jaikiran" wrote:
Marcos,
How have you secured your EJBs? Are you using a jboss.xml (similar to jboss-web.xml) to specify the security domain? And is this EJB2.x or EJB3.

Yes. My EJBs are secured. I'm using EJB3, JPA 1.0, JSF 1.2. Yes, I'm using jboss.xml.

Jaikiran, look at the first post when I started this discussion. Almost all my files (including jboss.xml) are there. You will have a better ideal about the configuration that I'm using in my web application.

Marcos
Actions

11. Re: How to authenticate to the JBoss server from a desktop (

jaikiran Jul 5, 2008 6:52 AM (in response to marcos_aps)

"Marcos_APS" wrote:

Yes. My EJBs are secured. I'm using EJB3, JPA 1.0, JSF 1.2. Yes, I'm using jboss.xml.

Jaikiran, look at the first post when I started this discussion. Almost all my files (including jboss.xml) are there.

I did check your first post, but it doesn't have the jboss.xml :)

Its been a long time since i last tried my sample application to access a secure bean. I decided to give it a try with EJB3 beans:

@Stateless
@Remote( { UserManagerRemote.class })
@Local (UserManagerLocal.class)
@RemoteBinding(jndiBinding = "RemoteUserManagerBean")
@SecurityDomain (value="other")
public class UserManagerBean implements UserManagerLocal, UserManagerRemote {

 /**
 * Instance of logger
 */
 private static Logger logger = Logger.getLogger(UserManagerBean.class);

 /**
 *
 *
 */
 public UserManagerBean() {
 System.out.println("Default constructor of UserManagerBean " + this);
 }

 @RolesAllowed (value="admin")
 public User getUser(long id) {
System.out.println("Bean method successfully called");
 // do something
 return user;
 }
}

I decided to use annotations (@SecurityDomain and @RolesAllowed) to secure the bean. Using jboss.xml is an alternative.

The method getUser is allowed to be accessed only by users belonging to "admin" role. The security-domain "other" is configured in login-config.xml to use a users.properties and a roles.properties for authentication and authorization:

 <application-policy name = "other">
 <!-- A simple server login module, which can be used when the number
 of users is relatively small. It uses two properties files:
 users.properties, which holds users (key) and their password (value).
 roles.properties, which holds users (key) and a comma-separated list of
 their roles (value).
 The unauthenticatedIdentity property defines the name of the principal
 that will be used when a null username and password are presented as is
 the case for an unuathenticated web client or MDB. If you want to
 allow such users to be authenticated add the property, e.g.,
 unauthenticatedIdentity="nobody"
 -->
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required" />
 </authentication>
 </application-policy>

These are my users.properties and roles.properties in the EAR:

users.properties:

jaikiran=jaikiran
dummy=dummy

roles.properties:

jaikiran=admin
dummy=normaluser

The client uses the org.jboss.security.ClientLoginModule as mentioned in the blog. Now let's try with various user/password combinations and see what happens:

1) Incorrect user name and password:

String userName = "notanuser";
 String password = "notanuser";
 MyCallbackHandler handler = new MyCallbackHandler(userName,password);

 lc = new LoginContext("someXYZLogin",handler);

 lc.login();

 System.out.println("Successfully logged in user: " + userName);
 Context ctx = new InitialContext();
 UserManagerRemote userManager = (UserManagerRemote) ctx.lookup("RemoteUserManagerBean");
 System.out.println("Got the usermanager bean");
 User user = userManager.getUser((long) 1);

The lc.login succeeds on the client side and the non-existent "notanuser" is logged in.. However, when the call to userManager.getUser is done, another round of authentication (and authorization) is done on the server side. This time with the "other" login module which is configured on the bean. At this point the login fails and an AuthenticationException is thrown:

2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] Begin isValid, principal:notanuser, cache info: null
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, principal=notanuser
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=8
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@4020218
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: other
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties
2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties, defaults=null
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties, defaults=null
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=notanuser
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] Login failure
 javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
 at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
 at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
 at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
 at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
 at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
 at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, false
2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.ejb3.security.Ejb3AuthenticationInterceptor] Authentication failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
 at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
 at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
 at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
 at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
 at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
 at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.remoting.transport.socket.ServerThread] SocketServerInvoker[223.1.1.128:3873].invoke() call failed
javax.ejb.EJBAccessException: Authentication failure
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)

2) Let's now try with an existing user, but one who does not have rights to access the bean method. Again the login succeeds on the client side and the user/password information is passed on to the server while accessing the bean method. Another round of authentication starts on the server when the method is accessed. The login succeeds on the server side too, because the user/password are existing valid ones. However, since the user does not have rights to access the method, an AuthorizationException is thrown:

2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] Begin isValid, principal:dummy, cache info: null
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, principal=dummy
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=8
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@7641571
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: other
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties, defaults=null
2008-07-05 15:50:51,140 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties, defaults=null
2008-07-05 15:50:51,140 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'dummy' authenticated, loginOk=true
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Checking user: jaikiran, roles string: admin
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Checking user: dummy, roles string: normaluser
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Adding to Roles: normaluser
2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, lc=javax.security.auth.login.LoginContext@650be6, subject=Subject(32516939).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser))
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] updateCache, inputSubject=Subject(32516939).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser)), cacheSubject=Subject(11160568).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser))
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@61b548[Subject(11160568).principals=org.jboss.security.SimplePrincipal@14335210(dummy)org.jboss.security.SimpleGroup@32038290(Roles(members:normaluser)),credential.class=[C@9519074,expirationTime=1215255040046]
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, true
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
 Principal: dummy
 Principal: Roles(members:normaluser)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getPrincipal, principal=dummy
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] doesUserHaveRole(Set), subject: Subject:
 Principal: dummy
 Principal: Roles(members:normaluser)

2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] roles=Roles(members:normaluser)
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] hasRole(admin)=false
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] hasRole=false
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] getUserRoles, subject: Subject:
 Principal: dummy
 Principal: Roles(members:normaluser)

2008-07-05 15:50:51,155 ERROR [WorkerThread#0[223.1.1.128:1687]] [org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=dummy, requiredRoles=[admin], principalRoles=[normaluser]
2008-07-05 15:50:51,155 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor] Authorization failure
java.lang.SecurityException: Insufficient permissions, principal=dummy, requiredRoles=[admin], principalRoles=[normaluser]
 at org.jboss.aspects.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:149)
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:115)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
 at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
 at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
 at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
 at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
 at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@16d7e89{principal=dummy,subject=26119032}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setPrincipal, p=null, server=true
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setPrincipal, sc=org.jboss.security.SecurityAssociation$SubjectContext@e7ef68{principal=null,subject=null}
2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setCredential, sc=org.jboss.security.SecurityAssociation$SubjectContext@e7ef68{principal=null,subject=null}
2008-07-05 15:50:51,171 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.remoting.transport.socket.ServerThread] SocketServerInvoker[223.1.1.128:3873].invoke() call failed
javax.ejb.EJBAccessException: Authorization failure
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)

3) Now lets try with an existing username with correct password and with sufficient rights to access the method. The login on the client side succeeds and the user/pass info is passed on the server when the bean method is invoked. Another round of authentication is done on server and it too passes. Then an authorization check is done. And since the user has sufficient rights, the bean method is successfully called:

15:51:28,141 INFO [STDOUT] Bean method successfully called

"Marcos_APS" wrote:

Now I'm able to login 'normally' using loginContext.login() . But JBoss is now accepting any user I pass in and I suppose this is really not a good thing at the point of security.

As explained above, the org.jboss.security.ClientLoginModule login module is just used as a carrier for passing on the username/password to the server. The login will succeed with even a invalid user with this module on the client side. However at the server, another round of authentication is done. The login module that gets used on the server side is the one that you have configured in the jboss.xml (or through annotations) for the EJBs and only valid authorized users will be allowed to access the method.

12. Re: How to authenticate to the JBoss server from a desktop (

marcos_aps Jul 7, 2008 7:58 AM (in response to marcos_aps)

Hello, Jaikiran!

First of all, I'm sorry for the delay in replying to your post. That was because I almost don't use internet on weekends, and even though I used it I couldn't do anything to answer your post as all my environment to test the application is set where I work.

Second, thank you very much for your detailed explanation about what could be happening in my application. Thank you for having the patience to produce tests to simulate what could be wrong. When you asked me if I was securing my application I didn't realised that you could be talking about something like the @RolesAllowed and @SecurityDomain annotations. I said I was using jboss.xml, but I wasn't. I was meaning jboss-web.xml. That was just a typographical error I made.

When I make the changes to secure the application (applying the annotations above) the application worked correctly as your tests showed. Indeed, I was going to really secure that application, but I hadn't done that yet because I thought that it would have not changed anything related with the authentication method that we were using.

So, now when I supply I user with the correct role, it can call the right bean methods, otherwise an security exception is throw.

So, once again, Jaikiran, thank you very much for your patience and answers in this discussion to solve the problems that I was having with my desktop application. As I said, that was of paramount importance to me.

Marcos
Actions
13. Re: How to authenticate to the JBoss server from a desktop (

jaikiran Jul 8, 2008 4:40 AM (in response to marcos_aps)

Glad it helped!
Actions

Go to original post