6 Replies Latest reply on Mar 31, 2011 4:20 PM by kitome

Problem keeping a user logged between threads

kitome Mar 30, 2011 7:05 PM

Hey everyone! First of all I am new using JBoss and wasn't sure if this was the right place where to put my qustion so I apologize if it wasn't.

I have an application that is autheticating using JAAS against a database, the queries are fine and it actually authenticates the user using a setSimple(userLogin, pwd). The client has its domain defined and some of the class functions can only be accessed if the user has the appropiate roles. The problem is that once I authenticate the user in the main thread, it seems like if i have to authenticate again in each of the child threads of the client, calling it the function I use to authenticate with a null user and a null pasword (thus throwing an exception)

I think that theres gotta be someway for the server/client to remember that the user is actually authenticated so it wont be authenticated more than once in each thread of the application. Is that actually paussible? Or how do I prevent the server/client from doing it after I authenticated the user the first time?

There is no logout call in the code other than the one I use if the (userLogin, pwd) combination is invalid.

Hope anyone can help me with this.

Thanks.

1. Problem keeping a user logged between threads

wolfgangknauf Mar 31, 2011 7:59 AM (in response to kitome)

Hi,

take a look at this thread: http://community.jboss.org/thread/43907

Which JBoss version do you use?

Hope this helps

Wolfgang
Actions

2. Re: Problem keeping a user logged between threads

kitome Mar 31, 2011 9:30 AM (in response to wolfgangknauf)

Hi Wolfgang, and thanks for your reply.

I'm using JBoss 5.1.0.GA and I just read the thread you linked and I think we have the same issue. I modified the code to use the .setClient() but it didnt work. Here is a snippet of the code I use to do the login:

 
      SecurityClient securedClient = null;
      try {
           SecurityContextAssociation.setClient();
           securedClient = SecurityClientFactory.getSecurityClient();
           securedClient.setSimple(userLogin, password);
           securedClient.login();
      } catch (Exception e) {
           securedClient.logout();
      }

Also, I'm trying to configure this:

org.jboss.security.ClientLoginModule required

multi-threaded=false;

But I cant find where should I do that.

3. Problem keeping a user logged between threads

wolfgangknauf Mar 31, 2011 10:46 AM (in response to kitome)

Hi,

the "multi-threaded=false" fragment needs to be places in a file "auth.conf", and thus you have to use a JAAS login instead of "simple" login. See the security FAQ at http://community.jboss.org/wiki/SecurityFAQ - the answers for question 10 shows you the first steps of performing a JAAS login. If there are more questions left, feel free to ask. Unfortunately, I did not find an english website which explains this in detail.

Alternative: did you try to set the system property "org.jboss.security.context.ThreadLocal=false", as described in https://issues.jboss.org/browse/SECURITY-415

Best regards

Wolfgang
Actions
4. Re: Problem keeping a user logged between threads

kitome Mar 31, 2011 10:57 AM (in response to wolfgangknauf)
Hello again!

I used the SecurityContextAssociation.setClient(); before I call SecurityClientFactory.getSecurityClient(); and had no luck, then I created an auth.conf file and put it into my resources and it didnt seem to work either. Dunno if I have to do anything else other than just creating the file.

Inside the auth.conf is:

jmx-console {
org.jboss.security.ClientLoginModule required;
multi-threaded=false;
};

EDIT: I haven't tried yet the JAAS login you suggested above
Actions
5. Re: Problem keeping a user logged between threads

kitome Mar 31, 2011 1:34 PM (in response to wolfgangknauf)

Hi again,

I tried to use the JAAS login but I get an exception and it won't even login now... It seems like if it isn't recognizing the security domain I specify as the first parameter 'cuz it throws and execption when I initialize the LoginContext Object.

I did set the system property "org.jboss.security.context.ThreadLocal=false" with System.setProperty("org.jboss.security.context.ThreadLocal", "false"); but the problem is still there.
Actions
6. Re: Problem keeping a user logged between threads

kitome Mar 31, 2011 4:20 PM (in response to kitome)

Well I finally tried the JAAS login with the suggested auth.conf and still have the same problem: I can login in the main thread but the authentitation is ost in its children threads.

Here is the code that does the login:

     System.setProperty("java.security.auth.login.config","conf/auth.conf");
     System.setProperty("org.jboss.security.context.ThreadLocal", "false");
      SecurityAssociationHandler handler = new SecurityAssociationHandler();
                                            SimplePrincipal userJAAS = new SimplePrincipal(user);
                                            handler.setSecurityInfo(userJAAS, password);
                                            LoginContext loginContext =
                                             new LoginContext("jmx-console",
                                                          (CallbackHandler) handler);
//                                            SecurityContextAssociation.setClient();
                                            loginContext.login();

I really dunno what is wrong since apparently everything is "fine", I really appreciate any help or guidance anyone could give.

Thanks in advance.
Actions

Go to original post