5 Replies Latest reply on Sep 20, 2001 2:15 PM by Scott Stark

    No Principals in my Subject ???

    Dave Elliot Newbie

      Hi,

      I have configured a custom LdapLogicModule which is working fine. I have an issue tho...even though I am populating the well-known group 'Roles' with a SimplePrincipal for each group membership, and the login process is all completing successfully, if I run this code in the application client:

      Subject subject = this.loginContext.getSubject();
      System.out.println(subject.getPrincipals());

      I see an empty Set. Always! I know the user is authenticated properly as the following calls work properly within an EJB method that required authentication:

      this.context.getCallerPrincipal()
      this.context.isCallerInRole("Finance")


      Any ideas why the Subject object on the client side is empty after successfully authenticating (yep I do not check the Subject until after the first authenticating method call due to the lazy authentication)...

      Thanks,

      Dave

        • 1. Re: No Principals in my Subject ???
          Scott Stark Master

          What does you client side auth.conf module look like?

          • 2. Re: No Principals in my Subject ???
            Dave Elliot Newbie

            It's not very imaginative...I copied your default one ;-)

            other {
            // Put your login modules that work without jBoss here

            // jBoss LoginModule
            org.jboss.security.ClientLoginModule required;

            // Put your login modules that need jBoss here
            };

            • 3. Re: No Principals in my Subject ???
              Scott Stark Master

              Your a little confused on the relationship between the client initiated login and the server side login module configuration. When you do a JAAS login, you execute the login module associated with the login entry named by the LoginContext(name, ...) name parameter. The ClientLoginModule simply takes the client username and password and associates them withe JBoss EJB invocation layer. Any EJB call made by the client after the login will be associated with the login username and password. The server side login modules are executed when an EJB call is made by the client. The server side does a seperate login agains the server side login modules and it is that Subject that has the roles retrieved by your ldap login module.

              You would have to use your login module on the client side to see the roles added to the client side Subject.

              • 4. Re: No Principals in my Subject ???
                Dave Elliot Newbie

                > Your a little confused on the relationship between the client initiated login and the server side login module configuration.

                No suprises there ;-)

                > You would have to use your login module on the client side to see the roles added to the client side Subject.

                Mmm I had noticed and wondered why/how the CallbackHandler was being accessed in the client VM when it's not a Remote obj. + I was thinking that the ClientLoginModule acted like a proxy to a server side module. Doh ;-)

                Anywho, so if I deploy my custom LoginModule with the client what then does the job of "associating the username and password with the JBoss EJB invocation layer"? Or would I have to be a litte clever and write a 'client-side' version of my LoginModule ? Or do I associate my LoginModule _and_ the ClientLoginModule as both 'required' in the client's auth.conf ? Would this then mean that the authentication process against the LDAP server happens twice...once from the client LoginModule and once from the server LoginModule?

                Thanks for helping out,

                Dave


                • 5. Re: No Principals in my Subject ???
                  Scott Stark Master

                  > write a 'client-side' version of my LoginModule ? Or
                  > do I associate my LoginModule _and_ the
                  > ClientLoginModule as both 'required' in the client's
                  > auth.conf ? Would this then mean that the
                  > authentication process against the LDAP server
                  > happens twice...once from the client LoginModule and
                  > once from the server LoginModule?
                  You would always include the ClientLoginModule as required. Yes, the authentication against the LDAP server would happen twice.