3 Replies Latest reply on Sep 13, 2007 8:29 AM by yet_another_kain

Security context propagation between Seam EJB components and

eyrignou Aug 14, 2007 12:52 PM

I use Seam 1.2.1GA in my application, under JBoss 4.0.5GA; the presentation layer is made of Session EJBs which are Seam components, and the service and persistance layers are made of "standard" EJBs (ie. not Seam components).

Therefore I need a way to communicate the security context from the Seam components to the "standard" EJBs.

I use the Seam authentication and authorization mecanisms, which work very fine... But only in Seam components.

The user gets authenticated thanks to an "authenticator" JavaBean-Seam Component which I wrote after from the Seam Documentation (I have also put in place all the configuration indicated in the Seam Documentation http://docs.jboss.org/seam/1.2.1.GA/reference/en/html/security.html):

public boolean authenticate() {

 boolean result = false;

 SylveaUser user = getSecurityDAO().getUser(Identity.instance().getUsername());

 if ( user != null ) {
 Identity.instance().addRole(user.getProfile().getName());

 if ( Encryption.getInstance().equals(user.getPassword(), Identity.instance().getPassword())) {
 result = true;
 }
 }
 return result;
}

In the components.xml, I use the "pure" Seam authentication:

<security:identity authenticate-method="#{authenticator.authenticate}"/>

In my Seam-EJBs components, everything works fine when I use the Seam API, ie. Identity.instance( ).*
But if I try to use the JEE API, I get an exception: "java.lang.IllegalStateException: No valid security context for the caller identity"
Here is an example of my code:

@Stateful
@Scope(ScopeType.CONVERSATION)
@Name("myAction")
public class MyActionImpl extends MyAction {

 @Resource
 private SessionContext context;

 @Factory(value="intermediaireList", scope=ScopeType.EVENT)
 public void findIntermediaires() {
 boolean loggedIn = Identity.instance().isLoggedIn(); // works fine
 Principal principal = context.getCallerPrincipal(); // IllegalArgumentException
 String name = principal.getName();
 ...
 }
}

When I try to use the JEE API in my "standard" EJBs if the service and persistance layers, I get the same IllegalArgumentException. Does anyone have an idea ?

Thanks in advance,
Marc.

1. Re: Security context propagation between Seam EJB components

eyrignou Aug 20, 2007 7:21 AM (in response to eyrignou)

I found a way to stop the exceptions, but it still doesn't work... Help would be greatly appreciated !

In my components.xml, I reference a realm:

<security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="sylveaAuth"/>

Which I defined into my application:
jboss-app.xml of my ear:

<jboss-app>
 <module-order>strict</module-order>

 <module>
 <service>sylvea-login-service.xml</service>
 </module>

 <loader-repository>
 com.april.sylvea:loader=sylvea
 </loader-repository>
</jboss-app>

sylvea-login-service.xml:

<?xml version="1.0" encoding="UTF-8"?>
<server>
 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="sylvea:service=DynamicLoginConfig">
 <attribute name="AuthConfig">sylvea-login-config.xml</attribute>
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>
</server>

and sylvea-login-config.xml:

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
 "http://www.jboss.org/j2ee/dtd/security_config.dtd">
<policy>
 <application-policy name="sylveaAuth">
 <authentication>
 <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->
 <login-module code="org.jboss.security.ClientLoginModule" flag="required">
 <module-option name="multi-threaded">true</module-option>
 <module-option name="restore-login-identity">true</module-option>
 <!-- <module-option name="password-stacking">useFirstPass</module-option>-->
 </login-module>
 <login-module code="org.jboss.seam.security.jaas.SeamLoginModule" flag="required" />
 </authentication>
 </application-policy>
</policy>

I also added a jboss-web.xml in the WEB-INF of my web-app (I don't know if it is useful):

<jboss-web>
 <security-domain>java:/jaas/sylveaAuth</security-domain>
</jboss-web>

I added a jboss.xml in the META-INF of the jar of my EJBs:

<?xml version="1.0" encoding="UTF-8"?>

<jboss>
 <security-domain>sylveaAuth</security-domain>
</jboss>

But the propagation still doesn't work:

@Stateful
@Scope(ScopeType.CONVERSATION)
@Name("myAction")
public class MyActionImpl extends MyAction {

 @Resource
 private SessionContext context;

 @Factory(value="intermediaireList", scope=ScopeType.EVENT)
 public void findIntermediaires() {
 boolean loggedIn = Identity.instance().isLoggedIn(); // Seam works fine
 Principal seamPrincipal = Identity.instance().isLoggedIn(); // Seam Principal works fine
 Principal principal = context.getCallerPrincipal(); // JEE principal contains nothing => wrong
 String name = principal.getName(); // JEE name is null => wrong
 ...
 }
}

2. Re: Security context propagation between Seam EJB components

eyrignou Aug 20, 2007 10:39 AM (in response to eyrignou)

I am afraid my problems is refered as http://jira.jboss.com/jira/browse/JBSEAM-729

Right ?
Actions
3. Re: Security context propagation between Seam EJB components

yet_another_kain Sep 13, 2007 8:29 AM (in response to eyrignou)

Hi all,

I am experiencing the same kind of problems. It seems impossible to transmit Seam security context informations to JEE security context ...

I can imagine some realy ugly solutions, but I would prefer some pretty one :)
Actions

Go to original post