2 Replies Latest reply on Mar 20, 2005 2:22 AM by Jason VenHuizen

    Authentication EJB

    Marc Carrion Newbie

      I have a session bean (login) with the method
      boolean authenticate(string n, string p) that return true if the user is correct, false otherwise

      I also have a session bean (test) with three methods, one is available for role1, the other one for the role2 and the last one for the role3.

      The login bean has permissions for everybody but I can't execute the create method because I'm not yet authenticated, so I authenticate a default user, but, when I try to execute the create I'm not yet authenticated... what should I do between lc.login(...) and loginHome.create() in the servlet code???

      try {
      LoginContext lc;
      DialogCallbackHandler dch = DialogCallbackHandler();
      lc=new LoginContext("simple", dch);
      lc.login();
      Login login;
      login = homeLogin.create();
      } catch (Exception e) {
      e.printStackTrace();
      }

      I also tryed to execute the .create inside a PrivilegedAction, using the Subject.doAs(...)

      Thanks,
      M.

        • 1. Re: Authentication EJB
          Scott Stark Master

          Configure the login module to assign an unauthenticatedIdentity value(assuming its a subclass of org.jboss.security.auth.spi.UsernamePasswordLoginModule) as is done in the default auth.conf file:

          // The default server login module
          other {
           // A simple server login module, which can be used when the number
           // of users is relatively small. It uses two properties files:
           // users.properties, which holds users (key) and their password (value).
           // roles.properties, which holds users (key) and a comma-separated list of
           their roles (value).
           // The unauthenticatedIdentity property defines the name of the principal
           // that will be used when a null username and password are presented as is
           // the case for an unuathenticated web client or MDB. If you don't want to
           // allow such users to be authenticated remove the property.
           org.jboss.security.auth.spi.UsersRolesLoginModule required
           unauthenticatedIdentity="nobody";
          
          };
          


          If you can't do that then you can assign this inside of the jboss.xml descriptor using the unauthenticated-principal element:

          <jboss>
           <unauthenticated-principal>nobody</unauthenticated-principal>
          ...
          </jboss>
          



          • 2. Re: Authentication EJB
            Jason VenHuizen Newbie

            I was able to create the LoginContext in my session bean, but after authenticating which granted my user the proper role I still get a security error when I try to invoke another method. Is there something I need to do to associcate the login context with the current session?