5 Replies Latest reply on Jan 22, 2009 4:22 PM by ron_sigal

    JAAS authentication with EJB over HTTP

    robertxlongo
    robertxlongo Jan 6, 2009 4:35 PM

      Hi,

      We are using JBoss AS 4.2.3.GA and are attempting to access our Stateless Session Beans via HTTP using the instructions found here: http://www.jboss.org/community/docs/DOC-9632.

      We use LDAP authentication to secure access to our SSB's. This seems to work well when we are using plain old RMI; however when we use HTTP an EJBAccessException is thrown:

      2009-01-06 14:54:20,882 DEBUG [org.jboss.remoting.transport.servlet.ServletServerInvoker] Error thrown calling invoke on server invoker.
javax.ejb.EJBAccessException: Authentication failure
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
 at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
 at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:809)
 at org.jboss.remoting.transport.servlet.ServletServerInvoker.processRequest(ServletServerInvoker.java:232)
 at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:128)
 at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.doPost(ServerInvokerServlet.java:157)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
 at java.lang.Thread.run(Thread.java:619)


      Here is the relevant code:

      Client 
      Properties p = new Properties();
p.put(Context.SECURITY_PRINCIPAL, "user");
p.put(Context.SECURITY_CREDENTIALS, "password");
p.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory");
p.put("java.naming.provider.url", "http://localhost:8080/unified-invoker/JNDIFactory/?return-exception=true");
p.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");

InitialContext ctx = new InitialContext(p);
ACLManagerClient am = (ACLManagerClient) ctx.lookup("ACLManager/http");
ACL acl = am.get(0);


      jboss.xml 
      <session>
 <ejb-name>LDAPManager</ejb-name>
 <remote-binding>
 <jndi-name>LDAPManager/http</jndi-name>
 <client-bind-url>
 http://${jboss.bind.address}:8080/unified-invoker/Ejb3ServerInvokerServlet/?return-exception=true
 </client-bind-url>
 </remote-binding>
 <security-domain>MyDomain</security-domain>
 </session>
 <session>


      http-uinvoker.sar\unified-invoker.war\WEB-INF\jboss-web.xml 
      <?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE jboss-web
 PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
 "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

<jboss-web>
 <security-domain>java:/jaas/Ryba</security-domain>
</jboss-web>


      login-config.xml 
       <application-policy name="MyDomain">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
 flag="required">
 <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
 <module-option name="rolesCtxDN">ou=People,dc=example,dc=com</module-option>
 <module-option name="matchOnUserDN">true</module-option>
 <module-option name="principalDNSuffix">,ou=People,dc=example,dc=com</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="uidAttributeID">member</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">false</module-option>
 </login-module>
 </authentication>
</application-policy>


      Any idea how we can get the credentials passed to the EJB container? Any help would be greatly appreciated.


      • 6833 Views
      • Tags: