1 Reply Latest reply on Sep 6, 2012 3:18 AM by gg cc

    jboss 6 security jass problem

    gg cc Newbie

      Hi all,

       

      After three working on my jaas jboss project i just can login but not execute any ejb operations. I have checked like a million of posts...but i just cannot make it work...

       

      I'll explain everything here.

       

      My login-config.xml has the application policy for my users.

       

      login-config.xml
      
          <application-policy name = "verifiq-domain">
            <authentication>
            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                 <!--<module-option name = "unauthenticatedIdentity">invitado</module-option>-->
                 <module-option name = "password-stacking">useFirstPass</module-option>
                 <module-option name = "hashStorePassword">true</module-option>
                 <module-option name = "dsJndiName">java:/Bvmc</module-option>
                 <module-option name = "principalsQuery">SELECT PASSWORD FROM CATALOGADOR WHERE usuario=?</module-option>
                 <module-option name = "rolesQuery">SELECT ROL, 'Roles' FROM CATALOGADOR_ROL WHERE usuario=?</module-option>
                 <module-option name = "hashAlgorithm">MD5</module-option>  
                 <module-option name = "hashEncoding">base64</module-option>
            </login-module>
           </authentication>
           </application-policy>
      

       

       

      My ejb definition uses this domain:

       

      @Stateless(mappedName = "explusionStatusBo")
      @SecurityDomain(value="java:/jaas/verifiq-domain")
      public class ExplusionStatusBoEjb implements IExplusionStatusBo, Serializable, SessionBean, ExplusionStatusBoEjbLocal, ExplusionStatusBoEjbRemote
      .....
      

       

       

      My jboss.xml

       

      
      jboss.xml
      <jboss>
          <security-domain>java:/jaas/verifiq-domain</security-domain>
      </jboss>
      

       

       

      My handler jaas class:

       

      private class PassiveCallbackHandler implements CallbackHandler
          {
              private String username;
              //char[] password;
              private String password;
      
              /**
               * Creates a callback handler with the give username
                * and password.
               */
              public PassiveCallbackHandler(String user, String pass) {
                  this.username = user;
                  this.password = pass;
      
              }
      
               /**
               * Handles the specified set of Callbacks. Uses the
               * username and password that were supplied to our
               * constructor to popluate the Callbacks.
               *
               * This class supports NameCallback and PasswordCallback.
                *
               * @param   callbacks the callbacks to handle
               * @throws  IOException if an input or output error occurs.
               * @throws  UnsupportedCallbackException if the callback is not an
               * instance of NameCallback or PasswordCallback
                */
              public void handle(Callback[] callbacks) throws java.io.IOException, UnsupportedCallbackException
              {
                  for (int i = 0; i < callbacks.length; i++) 
                  {
                      Callback callback = callbacks[i];
                       if (callback instanceof NameCallback) 
                      {
                          NameCallback nameCB = (NameCallback) callback;
                          nameCB.setName(username);
                      }
                      else if (callback instanceof PasswordCallback) 
                       {
                          PasswordCallback passwordCB = (PasswordCallback) callback;
      
                          String hash = Util.createPasswordHash("MD5", "BASE64", null, null, password);
                           log.debug("password hash:" + hash);
      
                          passwordCB.setPassword(hash.toCharArray());
                      }
                  }
              }
          }
      

       

       

      I have an ear that contains all ejbs definitions. I have another project that is a gwt client that uses these ejbs and i want to know what user is executing the ejbs to audit the operations. After all the configuration, the login code works perfectly in my gwt client:

       

      SecurityClient securityClient = null;
              try {
                  securityClient = SecurityClientFactory.getSecurityClient();
                  log.debug("mi gwt password:" + password);
                  log.debug("Viene a hacer login");
                  securityClient.setJAAS("verifiq-domain", new PassiveCallbackHandler(usuario, password));
                   securityClient.login();
      

       

       

      At this point everything is allright. The user is logged and everything is fine. But if after login the user i want to use the ejb, it says "caller unauthorized" because it is not propagate the login to the ejb tier i think. So i have tried creating an initialcontext on my gwt client but it does not work...

       

       

      Properties properties = new Properties();
                          properties.setProperty("
      INITIAL_CONTEXT_FACTORY","org.jnp.interfaces.NamingContextFactory");
                           properties.setProperty("URL_PKG_PREFIXES","org.jboss.naming:org.jnp.interfaces");
                          properties.setProperty("PROVIDER_URL","jnp://localhost:1099");
                           properties.put(Context.SECURITY_PRINCIPAL, "admin");
                          try {
                              InitialContext ctx = new InitialContext(properties);
                              ExplusionStatusBoEjbRemote service = (ExplusionStatusBoEjbRemote) ctx.lookup("cervantesvirtual-enterprise/ExplusionStatusBoEjb/remote-com.cervantesvirtual.interfaces.ExplusionStatusBoEjbRemote");
                               String response = service.expell(usuario, password);
                              log.debug("respuesta ejb servicio! " + response);
      

       

       


      To sum up, i can login but after that i can not call my ejb function. I'd love to use jaas on my project and use users and roles for all my ejbs...but i am struggling my head and this is not working at all..

       

      pd: i am using jboss 6. I saw this link but still does not work...http://www.ajka-andrej.com/2011/05/22/jboss-6-client-authentication-sd/

       

      thanks in advance!

       

       

       

      Edited: i saw here https://community.jboss.org/wiki/SecurityFAQ that maybe i need.

      <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->     

      <login-module code="org.jboss.security.ClientLoginModule" flag="required" ></login-module>

        • 1. Re: jboss 6 security jass problem
          gg cc Newbie

          That is, i needed in my login-config.xml the configuration like this:

           

              <application-policy name = "verifiq-domain">
               <authentication>
                <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                      <module-option name="restore-login-identity">true</module-option>
                    </login-module>
               <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                     <!--<module-option name = "unauthenticatedIdentity">invitado</module-option>-->
                  <module-option name = "password-stacking">useFirstPass</module-option>
                  <module-option name = "hashStorePassword">true</module-option>
                      <module-option name = "dsJndiName">java:/Bvmc</module-option>
                       <module-option name = "principalsQuery">SELECT PASSWORD FROM CATALOGADOR WHERE usuario=?</module-option>
                        <module-option name = "rolesQuery">SELECT ROL, 'Roles' FROM CATALOGADOR_ROL WHERE usuario=?</module-option>
                  <module-option name = "hashAlgorithm">MD5</module-option> 
                  <module-option name = "hashEncoding">base64</module-option>
                </login-module>
               </authentication>
              </application-policy>