-
1. Re: JAAS: using sessionbean's home interface method
wolfgangknauf Oct 26, 2009 12:24 PM (in response to chopper)Hi,
first of all: are there security declarations on the EJBs on JBoss A? If yes: post them please.
Did you declare a Security Domain, and did you modify "login-config.xml" (or for JBoss 5.0: a "-jboss-beans.xml" file)?
Best regards
Wolfgang -
2. Re: JAAS: using sessionbean's home interface method
chopper Oct 27, 2009 6:50 AM (in response to chopper)This is the login-config.xml of JBOSS A:
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <application-policy name = "client-login"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> </authentication> </application-policy> <!-- Security domain for JBoss Messaging --> <application-policy name = "messaging"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/PY_DS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option> <module-option name = "rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option> </login-module> </authentication> </application-policy> <application-policy name = "ProtectivityRealm"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name="dsJndiName">java:/PY_DS</module-option> <module-option name="principalsQuery">SELECT password FROM HumanResourceBean WHERE username = ? AND (status = 'ENABLED' OR status = 'SUPEROWNER')</module-option> <module-option name="rolesQuery">SELECT status AS Roles, 'Roles' AS RoleGroup FROM HumanResourceBean WHERE username = ? AND (status = 'ENABLED' OR status = 'SUPEROWNER')</module-option> <module-option name="unauthenticatedIdentity">ANONYMOUS</module-option> <module-option name="hashAlgorithm">SHA</module-option> </login-module> </authentication> </application-policy> </policy>
jboss.xml in the project on JBOSS A contains this element:<security-domain>java:/jaas/ProtectivityRealm</security-domain> <enterprise-beans> <session> <ejb-name>ScopeServiceBean</ejb-name>.........
and ejb-jar.xml something like<assembly-descriptor> <!-- layer 1 secuirty constraints --> <!-- ################################################## --> <security-role> <description>normal users with a valid license</description> <role-name>ENABLED</role-name> </security-role> <security-role> <description>the SUPEROWNER can do everything</description> <role-name>SUPEROWNER</role-name> </security-role> <security-role> <description>the INITIALIZER initializes the system</description> <role-name>INITIALIZER</role-name> </security-role> <security-role> <description>INDEXER message driven bean</description> <role-name>INDEXER</role-name> </security-role> <method-permission> <description>just the superowner can perform the following</description> <role-name>SUPEROWNER</role-name> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>createResource</method-name> <!-- void createDefinition(AbstractTemplateDTO template) --> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>removeResource</method-name> <!-- void removeResource(ResourceDTO data) --> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>createDefinition</method-name> <!-- void createDefinition(AbstractTemplateDTO template) --> </method> <method> <ejb-name>DataSourceServiceBean</ejb-name> <method-name>deleteDS</method-name> </method> <method> <ejb-name>DataSourceServiceBean</ejb-name> <method-name>updateDS</method-name> </method> <method> <ejb-name>DataSourceServiceBean</ejb-name> <method-name>createDS</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>InitializerBean</ejb-name> <method-name>*</method-name> </method> </method-permission> <!-- ################################################## --> <method-permission> <description>just the INITIALIZER can perform the following</description> <role-name>INITIALIZER</role-name> <method> <ejb-name>ScopeDefinitionBean</ejb-name> <method-name>createRoot</method-name> </method> <method> <ejb-name>ScopeBean</ejb-name> <method-name>createRoot</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>createSuperowner</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>doesResourceExist</method-name> </method> <method> <ejb-name>LicenseServiceBean</ejb-name> <method-name>setUserLicense</method-name> </method> <method> <ejb-name>LicenseServiceBean</ejb-name> <method-name>unsetUserLicense</method-name> </method> <method> <ejb-name>LicenseServiceBean</ejb-name> <method-name>addLicense</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>createDefinition</method-name> <!-- void createDefinition(AbstractTemplateDTO template) --> </method> </method-permission> <!-- ################################################## --> <method-permission> <description>all authenticated users can perform the following</description> <role-name>ENABLED</role-name> <role-name>SUPEROWNER</role-name> <role-name>INITIALIZER</role-name> <role-name>INDEXER</role-name> <method> <ejb-name>LicenseBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AssetAssociationBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AssetRetrievalServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AttachmentServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AssetServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AssetTransferServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AssetBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>getDefinition</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>getDefinitionName</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>create</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>getInstanziableChildren</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>getCardinalities</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>getAllDefinitions</method-name> </method> <method> <ejb-name>ScopeDefinitionServiceBean</ejb-name> <method-name>getAllProjectsDefinitions</method-name> </method> <method> <ejb-name>CustomerServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResources</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResource</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getRole</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>create</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>updateResource</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>assignResource</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>unassignResource</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getUserScopes</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getOwnedRootAssets</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceProjects</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceProjectsCount</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceActivities</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceActivitiesCount</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceBusinessUnits</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceBusinessUnitsCount</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getExplicitallyAssignedResources</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getAllResourcesSortedList</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getExplicitallyAssignedResourcesSortedList</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getExplicitallyAssignedResourcesSortedListCount</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getAllResourcesSortedListCount</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourcesWorkLoads</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>setResourcesWorkLoads</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourcesTotalLoad</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceTotalWorkLoad</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getAssignableResources</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>setResourcesWorkRoles</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourcesWorkRoles</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>setResourcesActiveWorkRoles</method-name> </method> <method> <ejb-name>ResourceServiceBean</ejb-name> <method-name>getResourceWorkRoleNamesInScopes</method-name> </method> <method> <ejb-name>WatchServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>ScopeBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>WorkRoleServiceBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AttachmentGroupBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>AttachmentBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>NoteAttachmentBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>MetaDataAttachmentBean</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>SerialCodeValueBean</ejb-name> ................................
what should i configure on JBOSS B?
TIA;) -
3. Re: JAAS: using sessionbean's home interface method
wolfgangknauf Oct 27, 2009 7:27 AM (in response to chopper)Hi,
I think your beans on server B has to log in to server A before it can call methods of secured beans.
You might take a look at the Security FAQ at http://www.jboss.org/community/wiki/SecurityFAQ question 10 to see how a java application client can log in to a server. I hope that a similar approach works for ejb layer communication.
Best regards
Wolfgang -
4. Re: JAAS: using sessionbean's home interface method
chopper Oct 27, 2009 7:34 AM (in response to chopper)Thank you Wolfgang. I will try and let you know the result.
Best regards,
dahagrachops. -
5. Re: JAAS: using sessionbean's home interface method
chopper Oct 28, 2009 9:01 AM (in response to chopper)Hi Wolfgang
I tried. Folowing strictly this guide:
http://jaikiran.wordpress.com/2006/07/04/accessing-a-secure-ejb-through-a-standalone-java-client/
i have this exception:[UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
The file called login-config.xml on JBOSS B is:<?xml version='1.0'?> <!-- The XML based JAAS login configuration read by the org.jboss.security.auth.login.XMLLoginConfig mbean. Add an application-policy element for each security domain. The outline of the application-policy is: <application-policy name="security-domain-name"> <authentication> <login-module code="login.module1.class.name" flag="control_flag"> <module-option name = "option1-name">option1-value</module-option> <module-option name = "option2-name">option2-value</module-option> ... </login-module> <login-module code="login.module2.class.name" flag="control_flag"> ... </login-module> ... </authentication> </application-policy> $Id: login-config.xml 76444 2008-07-29 23:50:53Z sguilhen@redhat.com $ $Revision: 76444 $ --> <policy> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <application-policy name="client-login"> <authentication> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> <!-- Any existing security context will be restored on logout --> <module-option name="restore-login-identity">true</module-option> </login-module> </authentication> </application-policy> <!-- Security domains for testing new jca framework --> <application-policy name="HsqlDbRealm"> <authentication> <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required"> <module-option name="principal">sa</module-option> <module-option name="userName">sa</module-option> <module-option name="password"></module-option> <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> </login-module> </authentication> </application-policy> <application-policy name="JmsXARealm"> <authentication> <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required"> <module-option name="principal">guest</module-option> <module-option name="userName">guest</module-option> <module-option name="password">guest</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the jmx-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name="jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the web-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name="web-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">web-console-users.properties</module-option> <module-option name="rolesProperties">web-console-roles.properties</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the JBossWS security domain. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name="JBossWS"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/jbossws-users.properties</module-option> <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </application-policy> <!-- The default login configuration used by any security domain that does not have a application-policy entry with a matching name --> <application-policy name="other"> <!-- A simple server login module, which can be used when the number of users is relatively small. It uses two properties files: users.properties, which holds users (key) and their password (value). roles.properties, which holds users (key) and a comma-separated list of their roles (value). The unauthenticatedIdentity property defines the name of the principal that will be used when a null username and password are presented as is the case for an unuathenticated web client or MDB. If you want to allow such users to be authenticated add the property, e.g., unauthenticatedIdentity="nobody" --> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/> </authentication> </application-policy> </policy>
Maybe something's wrong in a configuration file??
TIA -
6. Re: JAAS: using sessionbean's home interface method
wolfgangknauf Oct 29, 2009 8:42 AM (in response to chopper)Hi,
how does your bean on server B log in to server A? Please post the code snippet.
You don't need to modify "login-config.xml" on server B, if there is no secured EJB on it.
Best regards
Wolfgang -
7. Re: JAAS: using sessionbean's home interface method
chopper Oct 29, 2009 11:18 AM (in response to chopper)On server A i have secured bean and a topic.
On server B i have an MDB that reads messages from JMS topic deployed in A.
I use workflows and jBPM to invoke a client who needs to use secure bean's methods in A.
This is what i've done:String username = "admin"; String password = "adminadmin"; Object ass = null; Object dts = null; Hashtable environment = new Hashtable(); environment.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory"); environment.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces"); environment.put(Context.PROVIDER_URL, "jnp://127.0.0.1"); // remote machine IP InitialContext context; try { context = new InitialContext(environment); ass = context.lookup("ejb/Projectivity/AssetService"); //ejb-name dts = context.lookup("ejb/Projectivity/DataSourceService"); //ejb-name System.out.println("-->> lookup object successfully"); } catch (NamingException ex) { Logger.getLogger(InterFaxClient.class.getName()).log(Level.SEVERE, null, ex); } final String authFile = "auth.conf"; System.setProperty("java.security.auth.login.config", authFile); MyCallbackHandler handler = new MyCallbackHandler(username,password); LoginContext lc = null; try { lc = new LoginContext("myclient", handler); lc.login(); } catch (LoginException ex) { Logger.getLogger(InterFaxClient.class.getName()).log(Level.SEVERE, null, ex); System.out.println("JAAS Login failed"); } AssetServiceRemoteHome assetSrvHome = (AssetServiceRemoteHome) PortableRemoteObject.narrow(ass, AssetServiceRemoteHome.class); DataSourceServiceRemoteHome dsSrvHome = (DataSourceServiceRemoteHome) PortableRemoteObject.narrow(dts, DataSourceServiceRemoteHome.class); DataSourceServiceRemote dsSrv = null; DataSourceDTO dsDTO = null; AssetServiceRemote arSrv = null; AssetDTO assetDTO = null; try { dsSrv = dsSrvHome.create(); dsDTO = dsSrv.getInternalDataSource(); arSrv = assetSrvHome.create(dsDTO); assetDTO = arSrv.getAssetDTO(_msg.getiPath()); } catch (CreateException cex) { Logger.getLogger(InterFaxClient.class.getName()).log(Level.SEVERE, null, cex); } catch (RemoteException rex) { Logger.getLogger(InterFaxClient.class.getName()).log(Level.SEVERE, null, rex); } catch (AssetServiceException aex) { Logger.getLogger(InterFaxClient.class.getName()).log(Level.SEVERE, null, aex); }
MyCallbackHandler.java/* * To change this template, choose Tools | Templates * and open the template in the editor. */ package main.interfax; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import java.io.IOException; import javax.security.auth.callback.Callback; /** * * @author chopper */ public class MyCallbackHandler implements CallbackHandler { private String username; private String password; public MyCallbackHandler(String username, String password) { this.username = username; this.password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks instanceof NameCallback) { //if the Callback is for NameCallback, then set the name of the NameCallback to ?userName? NameCallback nc = (NameCallback) callbacks; nc.setName(username); } else if (callbacks instanceof PasswordCallback) { //if the Callback is for PasswordCallback, then set the name of the PasswordCallback to ?password? PasswordCallback pc = (PasswordCallback) callbacks; pc.setPassword(password.toCharArray()); } else { //if Callback is NOT NameCallback or PasswordCallback then throw UnsupportedCallbackException throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback"); } } } }
auth.conf is in the classpath:myclient { org.jboss.security.ClientLoginModule required; };
and this is the exception:12:07:36,678 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
I tried different configurations with no success. Thank you for your help. Best Regards. -
8. Re: JAAS: using sessionbean's home interface method
wolfgangknauf Oct 30, 2009 9:21 AM (in response to chopper)Hi,
I think there should be two differences in the environment properties for JNDI should be those:
Context.URL_PKG_PREFIXES =>I use "org.jboss.naming.client" for application clients, but I don't know if this is required, if the "client" is actually a server...
Context.PROVIDER_URL => you don't use a port: "jnp://127.0.0.1:1099". Is the "remote" JBoss also running on your local installation? I would assume the IP of the remote server here, otherwise you would conncet to the current JBoss instance ;-)
I hope this helps. If it does not: try to authenticate from a standalone java application. Hopefully this works...
Wolfgang