That's the exception I get:
[LoginBean] Authentication exception, principal=null
[Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception i
java.lang.SecurityException: Authentication exception, principal=null
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssoci
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(Security
[Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogIntercepto
[Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessS
[Default] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke
[Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invokeHome(Ho
[Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomePr
[Default] at $Proxy9.create(Unknown Source)
[Default] at LoginServlet.doGet(LoginServlet.java:63)
Understand I rigth?
You want that anybody can access Your servlet but the beans are secured?
Then implement a callback with default user and password in your servlet. The same as described in jaas doku for a single java client.
But notice: All beans will use the same callback independent of the user. This means, if You pass a authentication information to the callback the last user will be taken for all sessions.
I didn't want to protect the servlet, but if I had to protect it I protect it, I don't mind, the problem is what should I do to authenticate the user. I have bean that can authenticate the user using active directory from microsoft, I also have the security manager that authenticate the user if his name is 'test1', 'test2', 'testN'.
The problem is the browser should show a login dialog, should I do a html with the form (I already have one, but I don't know how to configure jboss to use it) That kind of things.
If you have jaas all set up, you can get a login screen by doing this in your web.xml:
If you want to use your own login form you would say FORM instead of BASIC, but I can't find an example for the life of me. Maybe someone else could post one.
Hope that helped.
In <realm-name> what must I specify? The name of a class extending a generic class, the jndi name of this class, or what?
I also have a similar situation. My servlets don't need to be secured, but the ejb's do. I have taken the following approach for JAAs authentication. Please let me know if you find anything wrong.
- Use ClientLoginModule for client and UsersRolesLoginModule for server
- In the login servlet, use callback to supply the name and password for client side authentication and then call a secured ejb method for server side authentication. Store name and password in http session
- In other servlets, before any secured ejb call, use LoginContext and do client side authentication using name and password stored in the http session before the ejb call.
Is there a better way?
Can you tell me how do i secure my JSP code kept in the JBoss server Root directory.
typically I would like to Encrypt my JSp code or a similar thing so that the code if stolen cannot be used by someone else from the web hosting dept.
is ther a standard methos ...?
> - In the login servlet, use callback to supply the
> name and password for client side authentication and
> then call a secured ejb method for server side
> authentication. Store name and password in http
Yeah, very similar here, I use the JBoss predefined callback
You do not have to change all your JSP's
Why not to write an interceptor, which does exactly the same as JbossSecurityMgrRealm ( or even less? )
Hook up in pre-service, and setup principal/credential
for beans access as you like.
JbossSecurityMgrRealm would not do this for
requests which do no require authentication.