0 Replies Latest reply on Jun 17, 2008 6:53 PM by Hans Meier

    javax.ejb.EJBAccessException: Authentication failure

    Hans Meier Newbie

      Hi,

      Im trying to do authentication (ejb 3.0, jboss-4.2.2.GA).

      Im getting this error:


      Exception in thread "main" javax.ejb.EJBAccessException: Authentication failure
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
      at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
      at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
      at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
      at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
      at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
      at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
      at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
      at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:163)
      at org.jboss.remoting.Client.invoke(Client.java:1634)
      at org.jboss.remoting.Client.invoke(Client.java:548)
      at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:62)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.aspects.security.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:53)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:107)
      at $Proxy0.sub(Unknown Source)
      at myclient.Client.main(Client.java:44)
      at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:74)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:67)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.aspects.security.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:53)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
      at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:107)
      at $Proxy0.sub(Unknown Source)
      at myclient.Client.main(Client.java:44)


      That is my Client:

      package myclient;
      
      import java.rmi.RMISecurityManager;
      import java.util.Properties;
      
      import javax.naming.InitialContext;
      import javax.security.auth.login.LoginContext;
      import javax.security.auth.login.LoginException;
      
      import myserv.IDoSomethingBean;
      
      import org.jboss.security.auth.callback.UsernamePasswordHandler;
      
      public class Client
      {
      
       public static void main(String[] args) throws Exception
       {
       System.setProperty("java.security.policy", "F:\\rmi.policy");
       System.setProperty("java.security.auth.login.config", "F:\\jaas.config");
       if (System.getSecurityManager() == null) {
       System.setSecurityManager(new RMISecurityManager());
       }
      
       Properties properties = new Properties();
       properties.put("java.naming.factory.initial","org.jnp.interfaces.NamingContextFactory");
       properties.put("java.naming.factory.url.pkgs","org.jboss.naming:org.jnp.interfaces");
       properties.put("java.naming.provider.url","localhost:1099");
      
       UsernamePasswordHandler handler = null;
       handler = new UsernamePasswordHandler("kermit", "thefrog");
       LoginContext lc = new LoginContext("steffendom", handler);
      
       try {
       lc.login();
       } catch(LoginException e) {
       System.out.println("authentication failed");
       e.printStackTrace();
       }
      
       InitialContext ctx = new InitialContext(properties);
       IDoSomethingBean calculator = (IDoSomethingBean) ctx.lookup("DoSomethingBean/remote");
      
       System.out.println("9 - 5 = " + calculator.sub(9, 5));
      
       // Scope of work complete, logout to remove authentication info
       try {
       lc.logout();
       } catch(LoginException e) {
       System.out.println("logout failed");
       e.printStackTrace();
       }
      
       }
      }
      


      Im starting jboss with "run -c all".

      This is my \server\all\conf\login-config.xml


      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <!-- The XML based JAAS login configuration read by the
      org.jboss.security.auth.login.XMLLoginConfig mbean. Add
      an application-policy element for each security domain.

      The outline of the application-policy is:
      <application-policy name="security-domain-name">
      <authentication>
      <login-module code="login.module1.class.name" flag="control_flag">
      <module-option name = "option1-name">option1-value</module-option>
      <module-option name = "option2-name">option2-value</module-option>
      ...
      </login-module>

      <login-module code="login.module2.class.name" flag="control_flag">
      ...
      </login-module>
      ...
      </authentication>
      </application-policy>

      $Revision: 64598 $
      -->

      <policy>
      <!-- Used by clients within the application server VM such as
      mbeans and servlets that access EJBs.
      -->
      <application-policy name = "client-login">
      <authentication>
      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      <!-- Any existing security context will be restored on logout -->
      <module-option name="restore-login-identity">true</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "dsJndiName">java:/DefaultDS</module-option>
      <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
      <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <!-- Security domain for JBossMQ when using file-state-service.xml
      <application-policy name = "jbossmq">
      <authentication>
      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
      </login-module>
      </authentication>
      </application-policy>
      -->

      <!-- Security domains for testing new jca framework -->
      <application-policy name = "HsqlDbRealm">
      <authentication>
      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <application-policy name = "JmsXARealm">
      <authentication>
      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name = "jmx-console">
      <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
      <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name = "web-console">
      <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">web-console-users.properties</module-option>
      <module-option name="rolesProperties">web-console-roles.properties</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name="JBossWS">
      <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag="required">
      <module-option name="usersProperties">props/jbossws-users.properties</module-option>
      <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
      <module-option name="unauthenticatedIdentity">anonymous</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "other">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />
      </authentication>
      </application-policy>

      <application-policy name="steffendom">
      <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag="required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
      </login-module>
      </authentication>
      </application-policy>


      </policy>


      My users.properties:

      # A sample users.properties file for use with the UsersRolesLoginModule
      kermit=thefrog


      My roles.properties:

      # A sample roles.properties file for use with the UsersRolesLoginModule
      kermit=friend


      I placed these two files in \server\all\conf and in \server\all\conf\props and in the jar where my (ejb 3.0) bean is located, just to be sure.

      My rmi.policy:

      grant
      {
      permission java.security.AllPermission;
      };


      My jaas.config:

      steffendom { org.jboss.security.auth.spi.UsersRolesLoginModule required;};


      And just to be complete, my two Bean-Classes:

      package myserv;
      
      import javax.ejb.Stateless;
      import org.jboss.annotation.security.SecurityDomain;
      import javax.annotation.security.PermitAll;
      import javax.annotation.security.RolesAllowed;
      
      @Stateless
      @SecurityDomain("steffendom")
      public class DoSomethingBean implements IDoSomethingBean
      {
       @RolesAllowed({"friend"})
       public int add(int a, int b)
       {
       return a+b;
       }
      
       @PermitAll
       public int sub(int a, int b)
       {
       return a-b;
       }
      }
      


      package myserv;
      
      
      import javax.ejb.*;
      
      @Remote
      public interface IDoSomethingBean {
       public int add(int a, int b);
       public int sub(int a, int b);
      }
      



      Please help, I googeld every site there is. I dont know what more I can do.