5 Replies Latest reply on Jan 22, 2009 4:22 PM by Ron Sigal

    JAAS authentication with EJB over HTTP

    Robert Newbie

      Hi,

      We are using JBoss AS 4.2.3.GA and are attempting to access our Stateless Session Beans via HTTP using the instructions found here: http://www.jboss.org/community/docs/DOC-9632.

      We use LDAP authentication to secure access to our SSB's. This seems to work well when we are using plain old RMI; however when we use HTTP an EJBAccessException is thrown:

      2009-01-06 14:54:20,882 DEBUG [org.jboss.remoting.transport.servlet.ServletServerInvoker] Error thrown calling invoke on server invoker.
      javax.ejb.EJBAccessException: Authentication failure
       at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
       at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
       at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
       at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
       at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
       at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:809)
       at org.jboss.remoting.transport.servlet.ServletServerInvoker.processRequest(ServletServerInvoker.java:232)
       at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.processRequest(ServerInvokerServlet.java:128)
       at org.jboss.remoting.transport.servlet.web.ServerInvokerServlet.doPost(ServerInvokerServlet.java:157)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
       at java.lang.Thread.run(Thread.java:619)
      
      


      Here is the relevant code:

      Client
      Properties p = new Properties();
      p.put(Context.SECURITY_PRINCIPAL, "user");
      p.put(Context.SECURITY_CREDENTIALS, "password");
      p.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory");
      p.put("java.naming.provider.url", "http://localhost:8080/unified-invoker/JNDIFactory/?return-exception=true");
      p.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      
      InitialContext ctx = new InitialContext(p);
      ACLManagerClient am = (ACLManagerClient) ctx.lookup("ACLManager/http");
      ACL acl = am.get(0);


      jboss.xml
      <session>
       <ejb-name>LDAPManager</ejb-name>
       <remote-binding>
       <jndi-name>LDAPManager/http</jndi-name>
       <client-bind-url>
       http://${jboss.bind.address}:8080/unified-invoker/Ejb3ServerInvokerServlet/?return-exception=true
       </client-bind-url>
       </remote-binding>
       <security-domain>MyDomain</security-domain>
       </session>
       <session>
      


      http-uinvoker.sar\unified-invoker.war\WEB-INF\jboss-web.xml
      <?xml version="1.0" encoding="ISO-8859-1"?>
      
      <!DOCTYPE jboss-web
       PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
       "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
      
      <jboss-web>
       <security-domain>java:/jaas/Ryba</security-domain>
      </jboss-web>
      


      login-config.xml
       <application-policy name="MyDomain">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
       flag="required">
       <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
       <module-option name="rolesCtxDN">ou=People,dc=example,dc=com</module-option>
       <module-option name="matchOnUserDN">true</module-option>
       <module-option name="principalDNSuffix">,ou=People,dc=example,dc=com</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="uidAttributeID">member</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="roleAttributeIsDN">false</module-option>
       </login-module>
       </authentication>
      </application-policy>
      


      Any idea how we can get the credentials passed to the EJB container? Any help would be greatly appreciated.