JAAS authentication with EJB over HTTP
robertxlongo Jan 6, 2009 4:35 PMHi,
We are using JBoss AS 4.2.3.GA and are attempting to access our Stateless Session Beans via HTTP using the instructions found here: http://www.jboss.org/community/docs/DOC-9632.
We use LDAP authentication to secure access to our SSB's. This seems to work well when we are using plain old RMI; however when we use HTTP an EJBAccessException is thrown:
2009-01-06 14:54:20,882 DEBUG [org.jboss.remoting.transport.servlet.ServletServerInvoker] Error thrown calling invoke on server invoker. javax.ejb.EJBAccessException: Authentication failure at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304) at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106) at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:809) at org.jboss.remoting.transport.servlet.ServletServerInvoker.processRequest(ServletServerInvoker.java:232) at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:128) at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.doPost(ServerInvokerServlet.java:157) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619)
Here is the relevant code:
Client
Properties p = new Properties(); p.put(Context.SECURITY_PRINCIPAL, "user"); p.put(Context.SECURITY_CREDENTIALS, "password"); p.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory"); p.put("java.naming.provider.url", "http://localhost:8080/unified-invoker/JNDIFactory/?return-exception=true"); p.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces"); InitialContext ctx = new InitialContext(p); ACLManagerClient am = (ACLManagerClient) ctx.lookup("ACLManager/http"); ACL acl = am.get(0);
jboss.xml
<session> <ejb-name>LDAPManager</ejb-name> <remote-binding> <jndi-name>LDAPManager/http</jndi-name> <client-bind-url> http://${jboss.bind.address}:8080/unified-invoker/Ejb3ServerInvokerServlet/?return-exception=true </client-bind-url> </remote-binding> <security-domain>MyDomain</security-domain> </session> <session>
http-uinvoker.sar\unified-invoker.war\WEB-INF\jboss-web.xml
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd"> <jboss-web> <security-domain>java:/jaas/Ryba</security-domain> </jboss-web>
login-config.xml
<application-policy name="MyDomain"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.provider.url">ldap://localhost:389</module-option> <module-option name="rolesCtxDN">ou=People,dc=example,dc=com</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="principalDNSuffix">,ou=People,dc=example,dc=com</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> </login-module> </authentication> </application-policy>
Any idea how we can get the credentials passed to the EJB container? Any help would be greatly appreciated.