Setting up security in a cluster
topping Jun 12, 2003 12:49 AMHi all,
I'm just bringing up my code completely under a cluster for the first time and running into some issues with authentication. Maybe others have seen this before and can make some comments.
The environment is set up with two login modules under one JAAS realm, both set as "sufficient". One of them is a database driven module (which I believe can be ignored for this discussion), the other is with the UsersRolesLoginModule. All the configuration and code is very robust in an unclustered environment, it seems I'm just having problems with getting authenticated across the cluster. I haven't been able to find anything in the paid docs nor the list archives that addresses issues regarding authentication in a cluster.
Right now, I am just trying have some client code in the web container of one of the machines call a stateless session bean on each server. When I set up my LoginContext with properties of the localhost:1099, the authentication succeeds and the stateless session bean on the local machine is accessible, but a SLSB on the remote host is not.
So I figured that the right thing to do was to point the properties for the InitialContext at the HA-JNDI (port 1100), since HA-JNDI first tries the local JNDI, then delegates if it can't find the binding locally. But that fails. It must find the UsersRolesLoginModule okay, because it complains if the users.properties/roles.properties are missing. But when the properties files are in place, they do not have the desired effect -- an AuthenticationException with principal=null is thrown.
My code looks like:
Properties params = new Properties();
params.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jnp.interfaces.NamingContextFactory");
params.put(Context.PROVIDER_URL, "localhost:1100");
params.put(Context.URL_PKG_PREFIXES,
"org.jboss.naming:org.jnp.interfaces");
AppCallbackHandler handler
= new AppCallbackHandler("initial", "initial");
LoginContext lc = new LoginContext("Bill2Realm", handler);
lc.login();
// Obtain initial context
javax.naming.InitialContext initialContext
= new javax.naming.InitialContext(params);
UserManagerHome userManagerHome = null;
try {
Object objRef
= initialContext.lookup(UserManagerHome.JNDI_NAME);
userManagerHome
= (UserManagerHome)PortableRemoteObject.narrow
(objRef, UserManagerHome.class);
} finally {
initialContext.close();
}
UserManager um = userManagerHome.create();
// do something nice here...
Does this ring a bell for anyone? Do I need to configure JAAS to have an auth master in the cluster that I am overlooking? Other than what I did for an unclustered environment, I haven't done anything special to the login configuration.
Any ideas appreciated, thanks!!
Brian