0 Replies Latest reply on Jul 8, 2012 8:35 AM by Philippe Marschall

    programmatic login for ejb remoting using LoginContext

    Philippe Marschall Expert

      We have an existing application that runs on JBoss AS 5.1 that we're trying to migrate to 7.1. One of the areas where we're having difficulties is EJB security. Our application works more or less like this:

      1. Some unauthenticated EJB class are made. This is for things like getting the list of active tenants, the server time, version and so on.
      2. The data of the previous step is used to display a login dialog to the user.
      3. Once the user clicks the login button we do programmatic login using LoginContext.
      4. From now on authenticated EJB class happen.

       

      The EJBs that require authentication are secured using @SecurityDomain poiting to our domain (for which we have a custom login module)

      @SecurityDomain("acme")
      @Stateless
      public class SecuredBean {
      
      }
      

      The EJBs that don't require authentication don't have the @SecurityDomain. We do not require or declare any roles, being in the domain is enough.

       

      On the client we have a JAAS configuration file that we register as a property under "java.security.auth.login.config" and looks like this

      acme {
        org.jboss.security.ClientLoginModule required multi-threaded=false;
      };
      

       

      Our login code looks like this

      LoginContext loginContext = new LoginContext("acme", callbackHander);
      login();
      

      where the callback handler would take the user name and password from the login dialog.

       

      In AS 7 we removed the security-realm from the remoting connector to allow unauthentiated calls (that's how we understood the docs) and added the following domain (SimpleUsers is just for testing purposes)

                      <security-domain name="acme" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="SimpleUsers" flag="required">
                                  <module-option name="admin" value="admin"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      On the client we set

      jboss.naming.client.ejb.context=true
      

      in jboss-ejb-client.properties to use remote JNDI instead of remote EJB and don't have the ejb:// prefixes in your names.

       

      However the login does not seem to work. Our login callback handler gets called but the user always seems to be "anonymous".

       

      We tried adding

      jboss.security.security_domain=acme
      

      to the JAAS config but that didn't make a difference.

       

      Is this setup supposed to work? Is there something wrong with our approach?