1 Reply Latest reply on Jun 23, 2011 10:15 AM by hublisid

SecurityAssociation values are null when called from authenticating EJB

hublisid Jun 3, 2011 3:57 PM

Hi All,

I have a web applciation and an EJB component.

I am using GenericHeaderAuthenticator and SSOLoginModule for the authentication. In GenericHeaderAuthenticator, I am getting the roles from siteminder and setting in org.jboss.security.SecurityAssociation class.

SecurityAssociation.setContextInfo("sm_role", roles);

For the authentication in EJB, the securityDomain is pointing to SSOLoginModule,

When I am trying to access the SecurityAssociation context info in SSOLoginModule , its giving me null values, so the EJB authentication failed!!

String role = (String)SecurityAssociation.getContextInfo("sm_role"); roles are coming as null.

This problem is in Unix environment, the same code I tried in Windows environment it's working fine.

Can anyone help me to resolve this issue?

The configuration are as below:-

####################EJB Code:######################################

@org.jboss.ejb3.annotation.SecurityDomain("SSOGenericHeaderAuth")

@Stateless

public class FooBean implements FooRemote {

@RolesAllowed("essga_cmdbost_custodian")

@Resource private SessionContext sctx;

#######war-deployers-jboss-beans.xml(c:\jboss-5.1.0.GA\server\default\deployers\jbossweb.deployer\META-INF) ########

      <property name="authenticators">
         <map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String">
    <entry>
               <key>HEADER</key>
               <value>org.jboss.example.web.tomcat.security.GenericHeaderAuthenticator</value>
          </entry>

...........

######web.xml###########

<login-config>

<auth-method>HEADER</auth-method>

</login-config>

#######login-config.xml(c:\jboss-5.1.0.GA\server\default\conf):##########

<application-policy name="SSOGenericHeaderAuth">

<login-module code="org.jboss.example.web.tomcat.security.SSOLoginModule" flag="sufficient"/>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

flag="required">

<module-option name="usersProperties">props/jmx-console-users.properties</module-option>

<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>

</login-module>

</authentication>

</application-policy>

1. Re: SecurityAssociation values are null when called from authenticating EJB

hublisid Jun 23, 2011 10:15 AM (in response to hublisid)

Thanks to JBoss team, this problem is resolved with help of JBoss team.
Here is the solution:

Instead of SecurityAssociation class, I used HTTPSession to store the roles. By this we don't need to validate the session every time we do the role check.

So, in GenericHeaderAuthentication.java

// This is how the roles are passed into the login module where they will be set
HttpSession http_session = request.getSession();
http_session.setAttribute("roles", roles);
and in SSOLoginModule.java, you retrieve the roles using below mentioned code:
HttpServletRequest request =

(HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");

List<String> sessionRoles = (List<String>) request.getSession().getAttribute("roles");

This resolved the problem.

Regards,
Siddu

Message was edited by: Siddu Bulla
Actions