-
15. Re: Seam and security context
Actually there was a missing ); that caused many compilation errors. I just have one left with JAASCallbackHandler class. Where does it come from ? Is it a class you write on your own ?
-
16. Re: Seam and security context
Yes, you need own JAASCallbackHandler. Seam 1.1 had JaasCallbackHandler. You have find one here: CustomCallbackHandler.
-
17. Re: Seam and security context
Thanks. I could compile it, my app starts well, Seam authentication looks OK but I still have the No valid security context for the caller identity message when calling getCallerPrincipal method in my interceptor. Is there something special to add to my EJBs jar that could explain my problem ? Maybe you have an example of code when you retrieve the principal ?
-
18. Re: Seam and security context
I prepare to start my application with permision at ejb level and couply days ago I founded example. Page is in polish, but examples are in english.
-
19. Re: Seam and security context
Yes, while in general most app servers use JAAS, the spec doesn't go as far as to define anything much beyond the point of authentication and so each app server seems to implement security in their own distinct way. It kind of makes things harder, but that is where Seam Security bridges the gap by providing a consistent security API that works the same way no matter which container you're deploying in.
-
20. Re: Seam and security context
Sorry to be back with this problem, but I still haven't found how to make it work ... I tried Kamil solution, but it didn't work. But it helped me anyway to understand how all this works.
I think the solution for me is to create my own security policy so that callbackhandler created by Seam is shared between two login modules : Seam login module and JBoss ClientLoginModule. For what I understood, ClientLoginModule propagates the name and the password found in callbackhandler to EJB security layer. So I think it should work. But it doesn't ...
I created a security policy and put it in META-INF :
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <application-policy name="t4Seam"> <authentication> <login-module code="org.jboss.seam.security.jaas.SeamLoginModule" flag="required"> </login-module> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> <module-option name="restore-login-identity">true</module-option> <module-option name="multi-threaded">true</module-option> </login-module> </authentication> </application-policy> </policy>
I changed components.xml file so that Seam uses this security policy :
<security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="t4Seam" />When I run my login form, it looks like it works, since it authenticates to Seam and I see the following trace for ClientLoginModule :
16:08:48,926 TRACE [ClientLoginModule] Security domain: t4Seam 16:08:48,926 TRACE [ClientLoginModule] Enabling multi-threaded mode 16:08:48,941 TRACE [ClientLoginModule] Enabling restore-login-identity mode 16:08:48,941 TRACE [ClientLoginModule] Begin login 16:08:48,941 TRACE [ClientLoginModule] Obtained login: olivier, credential.class: [C 16:08:48,941 TRACE [ClientLoginModule] End login 16:08:48,941 TRACE [ClientLoginModule] commit, subject=Objet : Principal : olivier Principal : org.jboss.seam.security.SimpleGroup@4b79e9d
But on the next call to EJB from a Seam component, ClientLoginModule has no more principal and I have the following trace :
16:08:54,285 TRACE [ClientLoginModule] Security domain: t4Seam 16:08:54,285 TRACE [ClientLoginModule] Enabling multi-threaded mode 16:08:54,285 TRACE [ClientLoginModule] Enabling restore-login-identity mode 16:08:54,285 TRACE [ClientLoginModule] Begin login 16:08:54,285 TRACE [ClientLoginModule] Obtained login: null, credential.class: null 16:08:54,285 TRACE [ClientLoginModule] End login 16:08:54,285 TRACE [ClientLoginModule] commit, subject=Objet : Principal : null Principal : org.jboss.seam.security.SimpleGroup@4b79e9d
Callbackhandler uses Identity component to retrieve username and password, so I can't understand why they are null ! Unless ClientLoginModule doesn't have the same callbackhandler ? Note I couldn't turn restore-login-identity to false (it is always enabled in the trace, whether I set it to true or false in the config file), maybe it could be a part of my problem ?
I am really desperate with this, I try to find a solution about this for two weeks and I am still at the same point, so any help will be very welcome ;)
-
21. Re: Seam and security context
Hi
I'm working on a problem pretty similar to the one you are having, Olivier, and I'm also pretty puzzled when it comes to figuring out the solution to the problem.
I've tried most things suggested here
- Creating a custom LoginModule to handle my authentication and configure it in my login-config.xml as a new application policy - then delegate authentication to that policy from my components.xml
- Implementing the code posted by Kamil in my Authenticator beanBoth solutions seem to do a proper authentication with the ClientLoginModule - and the tests I've performed shows that a SecurityContext is available as it's supposed to within that request. If I navigate to other pages of the application, the Seam Identity is still present and to Seam I'm still logged in, but there is no SecurityContext available for my EJB3 beans. By tracing some of the JBoss security modules I can see the following when I log in using my JAAS application policy:
2008-05-15 13:19:50,274 TRACE [org.jboss.security.ClientLoginModule] commit, subject=Subject: Principal: trond Principal: Roles(members:TEST_ROLE) 2008-05-15 13:19:50,274 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: Principal: trond Principal: Roles(members:TEST_ROLE)
Any calls I then do to my EJB-beans immediately after a login (tested using the postAuthentication event) I can observe the following:
2008-05-15 13:19:50,306 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@72d5c0{principal=trond,subject=null}Then, if I navigate further and try to do another call to any of my EJB-beans, I see this:
2008-05-15 13:19:53,009 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null 2008-05-15 13:19:53,009 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null,sc=org.jboss.security.SecurityAssociation$SubjectContext@145c108{principal=null,subject=null}I really don't know all that much about hos JAAS does things, but is JAAS supposed to keep this client-login-session for itself, or is this something Seam needs to do?
And is this the same issue that you are experiencing Olivier? I've been working on this for a couple of days now without understanding clearly why it is behaving as it is. Any input would be appreciated.
-
22. Re: Seam and security context
Hi,
Yes, we have exactly the same issue.
In the JBoss wiki (http://wiki.jboss.org/wiki/ClientLoginModule) you can read this :
Note that this login module does not perform any authentication. It merely copies the login information provided to it into the JBoss server EJB invocation layer for subsequent authentication on the server.So it looks like ClientLoginModule is what we need. And I can't see other way than a callback handler to provide login information to the login module. I asked for help on JBoss forum but had no answer for the moment.
-
23. Re: Seam and security context
Hi Trond,
I still have this problem propagating security to EJB3 layer. Did you find a solution ?
Creating my own login module extending one from JBoss, I saw that CallbackHandler was not the same on first login and on further calls to EJB3 session beans. I understand on first login LoginContext and CallbackHandler are created on Identity.login call and JAAS authentication then uses immediatly this login context and this callback handler. But on further calls, it looks like JAAS uses a different login context and a different callback handler, but I can't find who, where and when this new LoginContext is created. Using a diffrent callback handler, JAAS can't retrieve name and password stored in Identity, what would explain why we have a null principal. Anyone has an idea how all of this works ?
Thanks in advance,
Olivier
-
24. Re: Seam and security context
May be a partial solution, but work find for me with Jboss 4.2.3 and seam 2.1.1.GA
Create à seam filter to set te default identity
@Scope(ScopeType.APPLICATION) @Name("XXX.EjbIdentityFilter") @Install(precedence = Install.BUILT_IN, dependencies = "org.jboss.seam.security.identity") @BypassInterceptors @Filter(within = {"org.jboss.seam.web.authenticationFilter"}) public class EjbIdentityFilter extends AbstractFilter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (!(request instanceof HttpServletRequest)) { throw new ServletException("This filter can only process HttpServletRequest requests"); } HttpServletRequest httpRequest = (HttpServletRequest) request; Identity identity = (Identity) httpRequest.getSession(). getAttribute(Seam.getComponentName(Identity.class)); if (Identity.isSecurityEnabled() && identity != null) { RunAsIdentity jbossRunAsIdentity; Principal principal; Principal currentPrincipal = SecurityAssociation.getPrincipal(); if (identity.isLoggedIn()) { Subject subject = identity.getSubject(); Set<Group> groups = subject.getPrincipals(Group.class); Group group = groups.iterator().next(); if (!"Roles".equals(group.getName())) { throw new java.lang.IllegalArgumentException(); } boolean first = true; String mainGroup = null; HashSet<String> others = new HashSet<String>(); Enumeration roles = group.members(); while (roles.hasMoreElements()) { Principal role = (Principal) roles.nextElement(); if (first) { mainGroup = role.getName(); first = false; } else { others.add(role.getName()); } } principal = identity.getPrincipal(); jbossRunAsIdentity = new RunAsIdentity(mainGroup, principal.getName(), others); } else { principal = new SimplePrincipal("anonymous"); jbossRunAsIdentity = new RunAsIdentity("anonymous", "anonymous"); } SecurityAssociation.pushRunAsIdentity(jbossRunAsIdentity); SecurityAssociation.setPrincipal(principal); chain.doFilter(request, response); SecurityAssociation.setPrincipal(currentPrincipal); SecurityAssociation.popRunAsIdentity(); } else { chain.doFilter(request, response); } } }If you want to be redirect to the login page, must add
@Observer("org.jboss.seam.exceptionHandled") public void exceptionHandled(Exception e) { if ( ( e instanceof EJBAccessException) && Events.exists()) { Events.instance().raiseEvent(Identity.EVENT_NOT_LOGGED_IN); } }and in pages.xml
<exception class="javax.ejb.EJBAccessException"> <redirect view-id="XXX/login.xhtml"> <message> A message</message> </redirect> </exception>