Passing current user identity to the back-end database
sztank Jul 12, 2007 2:02 PMHi,
I'm developing an application with the following requirement:
All users have a database accounts and the application level authorization should be used also with the database. So I need to pass through the current user identity to the back-end database.
I'm using Jboss as 4.0.5 and Jboss Seam 1.2.1. The project I start with is generated with seam-gen utility. I get some directions on the Seam forum that this should be possible with proper configuration of the JCA datasource.
According to the informations I founded on wiki and docs I trying to use CallerIdentityLoginModule in the following way:
I added policy to the login-config.xml file
<application-policy name = "testdbRealm"> <authentication> <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required"> <module-option name = "userName">dumy</module-option> <module-option name = "password">dumy_pwd</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option> </login-module> </authentication> </application-policy>
datasource config file dbtest-ds.xml:
<datasources> <local-tx-datasource> <jndi-name>dbtestDatasource</jndi-name> <connection-url>jdbc:postgresql:dbtest</connection-url> <driver-class>org.postgresql.Driver</driver-class> <security-domain>testdbRealm</security-domain> </local-tx-datasource> </datasources>
web.xml file:
<security-constraint> <display-name>Restrict raw XHTML Documents</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>*.xhtml</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>testdbRealm</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role>
And according to the Seam doc I set the jaas-config-name property in the components.xml file:
<security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="testdbRealm"/>
Now I have the following behavior:
The application deploys and works, the *.xhtml pages are displayed but application is not asking for authorization. The database connection is set with the default user and pwd provided in the login-config.xml file (dumy, dumy_pwd).
When I try to remove the default user and pwd from the login-config.xml file:
<application-policy name = "testdbRealm"> <authentication> <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required"> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option> </login-module> </authentication> </application-policy>
then I have errors during deployment because the database connection can't be created (I'm not sure why - think that hibernate try to open the database during the deployment to do its mapping job). I see in server logs that CallerIdentityLoginModule is used.
I stick on this problem and don't know how finish seting up things to enforce the behavior I write about on the beginning. Do I have to call CallerIdentityLoginModule directly from my application?
I'm trying to resolve this issue for quite a long time. I'm not the JBoss and J2EE specialist (yet) (I'm the one who believed that building application's with JBoss + Seam combo is simple and trying to follow) so I appreciate any help and explanations how this mechanism works very much.
Best Regards