9 Replies Latest reply on Oct 16, 2001 3:02 AM by Konstantin

    general security

    Marc Carrion Newbie

      Hello, I need some help trying to setup the security in my application...

      I know it will sound really easy for you but It's being really complex for me.

      I have a Servlet that calls to some session beans.
      I want to protect only the beans, not the servlet. I created an implementation of SubjectSecurityManager and RealmMapping, it's a really dumb implementation... I added the assembly-descriptor in the deploy descriptors, etc...
      But when I run the servlet, the user is not authenticated, what should I do???

      Thanks,
      Marc

        • 1. Re: general security
          Marc Carrion Newbie

          That's the exception I get:

          [LoginBean] Authentication exception, principal=null
          [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception i
          s:
          java.lang.SecurityException: Authentication exception, principal=null
          [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssoci
          ation(SecurityInterceptor.java:169)
          [Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(Security
          Interceptor.java:92)
          [Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogIntercepto
          r.java:106)
          [Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessS
          essionContainer.java:268)
          [Default] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke
          Home(JRMPContainerInvoker.java:437)
          [Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invokeHome(Ho
          meProxy.java:237)
          [Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomePr
          oxy.java:182)
          [Default] at $Proxy9.create(Unknown Source)
          [Default] at LoginServlet.doGet(LoginServlet.java:63)

          Thanks,
          Marc

          • 2. Re: general security
            Andreas Schouten Newbie

            Understand I rigth?
            You want that anybody can access Your servlet but the beans are secured?

            Then implement a callback with default user and password in your servlet. The same as described in jaas doku for a single java client.

            But notice: All beans will use the same callback independent of the user. This means, if You pass a authentication information to the callback the last user will be taken for all sessions.

            • 3. Re: general security
              Marc Carrion Newbie

              I didn't want to protect the servlet, but if I had to protect it I protect it, I don't mind, the problem is what should I do to authenticate the user. I have bean that can authenticate the user using active directory from microsoft, I also have the security manager that authenticate the user if his name is 'test1', 'test2', 'testN'.

              The problem is the browser should show a login dialog, should I do a html with the form (I already have one, but I don't know how to configure jboss to use it) That kind of things.

              Thanks again,
              Marc

              • 4. Re: general security
                Julia C Newbie

                If you have jaas all set up, you can get a login screen by doing this in your web.xml:

                <web-app>
                ...
                <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>My Realm</realm-name>
                </login-config>
                ...
                </web-app>

                If you want to use your own login form you would say FORM instead of BASIC, but I can't find an example for the life of me. Maybe someone else could post one.

                Hope that helped.

                • 5. Re: general security
                  Marc Carrion Newbie

                  In <realm-name> what must I specify? The name of a class extending a generic class, the jndi name of this class, or what?

                  Thanks again,
                  M.

                  • 6. Re: general security
                    Pranab Ghosh Newbie

                    I also have a similar situation. My servlets don't need to be secured, but the ejb's do. I have taken the following approach for JAAs authentication. Please let me know if you find anything wrong.

                    - Use ClientLoginModule for client and UsersRolesLoginModule for server
                    - In the login servlet, use callback to supply the name and password for client side authentication and then call a secured ejb method for server side authentication. Store name and password in http session
                    - In other servlets, before any secured ejb call, use LoginContext and do client side authentication using name and password stored in the http session before the ejb call.

                    Is there a better way?

                    Thanks,
                    Pranab

                    • 7. Re: general security
                      Ashu Newbie

                      Can you tell me how do i secure my JSP code kept in the JBoss server Root directory.
                      typically I would like to Encrypt my JSp code or a similar thing so that the code if stolen cannot be used by someone else from the web hosting dept.

                      is ther a standard methos ...?

                      • 8. Re: general security
                        J. Wolfgang Kaltz Novice

                        > - In the login servlet, use callback to supply the
                        > name and password for client side authentication and
                        > then call a secured ejb method for server side
                        > authentication. Store name and password in http
                        > session

                        Yeah, very similar here, I use the JBoss predefined callback
                        org.jboss.security.auth.callback.UsernamePasswordHandler
                        for that

                        • 9. It could be easier
                          Konstantin Newbie

                          You do not have to change all your JSP's

                          Why not to write an interceptor, which does exactly the same as JbossSecurityMgrRealm ( or even less? )

                          Hook up in pre-service, and setup principal/credential
                          for beans access as you like.

                          JbossSecurityMgrRealm would not do this for
                          requests which do no require authentication.