11 Replies Latest reply on Sep 5, 2017 10:27 AM by ladbrokesldk

    LoginModule doesn't set Principal

    ladbrokesldk

      Hi all,

       

      I have implemented a custom javax.security.auth.spi.LoginModule that authenticates a user with the Google+ identity (OAUTH) server and adds roles to the Subject from a local database.

      On commit, the Subject and its Principals (Roles, members) are set. So far so good.

      The urls are protected with in web.xml

       

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>GoogleLogin</realm-name>
      <form-login-config>
      <form-login-page>/lbsLogin.html</form-login-page>
      <form-error-page>/VAADIN/error.html</form-error-page>
      </form-login-config>
      </login-config>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>
      </security-constraint>
      <security-role>
      <description>User view-only</description>
      <role-name>user</role-name>
      </security-role>
      
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <security-domain>GoogleLogin</security-domain>
      </jboss-web>
      

       

      The login page /lbsLogin.html is redirected to a link to the Google+ login. The redirect of Google+ triggers the programmatic login.

       

      String code = request.getParameter("code");
      GoogleCallbackHandler cbh = new GoogleCallbackHandler(code);
      LoginContext loginContext = new LoginContext("GoogleLogin", new Subject(), cbh);
      loginContext.login();
      Subject subject = loginContext.getSubject();
      
      

      16:13:34,237 INFO  [stdout] (default task-17) Principal = myaccount@gmail.com

      16:13:34,237 INFO  [stdout] (default task-17) Principal = Roles(members:extuser,user)

      16:13:34,237 INFO  [stdout] (default task-17) Principal = CallerPrincipal(members:myaccount@gmail.com)

       

      The Subject is correctly populated.

       

      However, when checking for the callerPrincipal or Remote user, they always remain null. So the security context is not propagated to the EJB context. From the point of view of EJB I am "anonymous". As a result, the browser is always redirected to the login page and can't reach /secure/*

      Annotations @RolesAllowed("user")  on Stateless beans generate javax.ejb.EJBAccessException

      What do I do need to do to propagate the Principal to the application ?

       

       

      This is my standalone-full.xml modification.

       

      <security-domain name="GoogleLogin">
      <authentication>
      <login-module code="be.authtest.vaadin.oauth.GoogleLoginModule" flag="required">
      <module-option name="dsJndiName" value="java:jboss/datasources/frontDS"/>
      <module-option name="rolesQuery" value="select R.role as Role, 'Roles' from lbs_role R inner join lbs_user_role UR on UR.role_id=R.id inner join lbs_user U on U.id=UR.user_id and U.status=1 where U.username=?"/>
      <module-option name="callbackUrl" value="http://localhost:8080/vaadin/login/login2"/>
      <module-option name="gplusKey" value="******************************"/>
      <module-option name="gplusSecret" value="**************************"/>
      <module-option name="gplusUrl" value="https://www.googleapis.com/plus/v1/people/me"/>
      </login-module>
      </authentication>
      </security-domain>
      
      

      Thank you.

       

      Dear, I added a small Maven project to illustrate the problem. Calling AuthService.getSecurityInfo() or any other method of this bean will throw an EJBAccessException. I use Redhat Jboss developer Studio 10.4.0.GA. Thank you for you reply.@

       

      Dear, I added my new LoginModule, the clue must be within that code.

       

      Hi, anybody has an idea as where to look ? I'm at the end of my wits.