8 Replies Latest reply on Oct 5, 2001 10:47 AM by deepa

    Stuck with Security Exception

    deepa Newbie

      I have created an application which authenticates a user and enables the user to access various applications based on his role. The authentication is done in a servlet, which works just fine. However, I am not able to get a reference to any bean after that.


      1 InitialContext iniContext = new InitialContext();
      2 AdminHome home = (AdminHome) iniContext.lookup("ssfile/Admin");
      3 System.out.println("Found AdminHome");
      4 Admin bean = home.create();
      5 System.out.println("Created Admin");
      6 bean.remove();

      Upon home.create()(line 4), the system breaks and gives the following error:

      --------------------------------------------------
      [EmbeddedTomcatSX] Found AdminHome
      [EmbeddedTomcatSX] Found AdminHome
      [Admin] Authentication exception, principal=null
      [Admin] Authentication exception, principal=null
      [Admin] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exceptio
      n is:
      java.lang.SecurityException: Authentication exception, principal=null; n
      ested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:

      --------------------------------------------------

      My jboss.xml is:

      <security-domain>java:/jaas/security-domain</security-domain>
      <enterprise-beans>

      <ejb-name>Security</ejb-name>
      <jndi-name>ssfile/Security</jndi-name>


      <ejb-name>Resume</ejb-name>
      <jndi-name>ssfile/Resume</jndi-name>


      <ejb-name>Admin</ejb-name>
      <jndi-name>ssfile/Admin</jndi-name>

      </enterprise-beans>


      I have noticed that if I remove <security-domain>java:/jaas/security-domain</security-domain> from the jboss.xml file, then everything works fine.
      However, I don't want to remove it. Does anyone know how to fix this?

      Thanks,

      Deepa George

        • 1. Re: Stuck with Security Exception
          J. Wolfgang Kaltz Novice

          Well according to what you describe, you haven't implemented / configured any EJB security (where is your JAAS login module?). So it's not surprising that EJBs which you deploy with a security context are not accessible. Of course, if you comment out the security context, then access works, but then you don't have EJB security.

          See the online documentation and/or the JavaWorld JBossSX article on how to configure EJB security in JBoss. It is not a trivial matter but believe me, when you follow the steps described in the documentation it works.

          • 2. my 2 cents
            Konstantin Newbie

            You also forgot to perform real login.

            To have working security in you app you will need following:

            On the backend:
            - configured login modules which can authenticate
            your username/password and assign roles based on it

            - activates security in EJB descriptors

            On the frontend:
            - configured login modules for the frontend.
            Simpliest would be ClientLoginModule which
            just saves supplied data for further EJB invocations
            - call to this login module from your servlet


            NOte that authentication/authorisation on the frontend
            and backend is not necessarily the same.

            Yourprincipal/credentials will be passed to EJB backend on every invocation

            • 3. Re: Stuck with Security Exception
              deepa Newbie

              Thanks jwkaltz and ko5tik,

              I changed the application so that it uses a ClentLoginModule on the client-side and the DatabaseServerLoginModule on the server-side. I have a class called Authenticate that does the login. The code is as follows:

              ____________________________________________

              public boolean authenticated(String user, String pass) throws Exception
              {
              boolean login = false;
              char[] password = pass.toCharArray();


              try
              { System.setProperty("java.security.auth.login.config","file://C:/projects/0341_ardec_ebf/lib/jboss/client/auth.conf");
              AppCallbackHandler handler = new AppCallbackHandler(user, password);
              LoginContext lc = new LoginContext("other",handler);
              System.out.println("Created LoginContext");
              lc.login();
              login=true;
              }
              catch (LoginException le)
              {
              System.out.println("Login failed");
              login=false;
              le.printStackTrace();
              }


              return login;
              }

              ________________________________________________

              (For test purposes)When a simple client class calls the above mentioned Authenticate class method, the login takes place perfectly and everything works fine.

              However, in the application I have created, the client is a servlet(required) that calls the above mentioned class method to authenticate. However, I get the following messages:
              -----------------------------------------------
              [EmbeddedTomcatSX] Login failed
              [EmbeddedTomcatSX] javax.security.auth.login.LoginException: No LoginModules con
              figured for other
              [EmbeddedTomcatSX] at javax.security.auth.login.LoginContext.init(LoginCont
              ext.java:176)
              ------------------------------------------------
              I know this is happening because when the "LoginContext lc = new LoginContext("other",handler);" is called, it searches for "other" in the jboss.home/conf/tomcat/auth.conf file instead of jboss.home/client/auth.conf file.
              Do you know how I can fix this error? Please help!!!

              Thanks,

              Deepa George

              • 4. Re: Stuck with Security Exception
                J. Wolfgang Kaltz Novice

                > javax.security.auth.login.LoginException: No LoginModules configured for other

                Yeah I fought with that one too. What is happening is that the JAAS API is looking for a file
                auth.conf in the system class path, either it didn't find a file at all, or it did but this file doesn't have a JAAS configuration called "other" in it.


                > I know this is happening because when the
                > "LoginContext lc = new
                > LoginContext("other",handler);" is called, it
                > searches for "other" in the
                > jboss.home/conf/tomcat/auth.conf file instead of
                > jboss.home/client/auth.conf file.

                Well, if your code is running in your servlet environment, it probably makes sense that it would be looking in the tomcat/auth.conf ? In this case why don't you copy your "other" config to that file too. Or, you name that config "client" (for example) and use that as a LoginContext.

                Actually, I haven't been using the embedded tomcat, but have an existing Tomcat which now accesses JBoss. I had some problems because I found out that in the JAAS API it is hard-coded that it calls the System classloader and not the default classloader (which is a different one in Tomcat). In this case, I had to explicitly add the JAAS jar and my own login stuff in the classpath while starting Tomcat. But you shouldn't need to do that if you are using the embedded tomcat.

                Keep at it, it will work ...
                Wolfgang

                • 5. Re: Stuck with Security Exception
                  deepa Newbie

                  Thanks Wolfgang,

                  I really appreciate your help. I got this working after I copied the "other" conf. to the jboss.home/conf/tomcat/auth.conf. I also copied the required jar files from jboss.home/client to jboss.home/conf/tomcat. I can now access a bean after calling the Authenticate class which does the login. I do not logout.

                  However, when I call the bean from a new location(another class) in the application, I find that I have to login again in order to access the bean. Isn't the
                  Login context supposed to be stored somewhere till I do a logout? Why do I have to login again and again every time I want to call a method in a bean?

                  Thanks,

                  Deepa George

                  • 6. Re: Stuck with Security Exception
                    J. Wolfgang Kaltz Novice

                    > However, when I call the bean from a new
                    > location(another class) in the application, I find
                    > that I have to login again in order to access the
                    > bean. Isn't the
                    > Login context supposed to be stored somewhere till I
                    > do a logout? Why do I have to login again and again
                    > every time I want to call a method in a bean?

                    This is not happening in my demo application, but I've also been wondering about this very important issue. Is your other class running in the same thread ?
                    Can anyone give us some input as to how/where exactly credentials are stored by JBoss; in which case it remembers them between calls and in which case it doesn't ?

                    (yeah I know, there's the source code - I've actually started looking at it but it would certainly be helpful if we had some more info on this)

                    • 7. Re: Stuck with Security Exception
                      Scott Stark Master

                      Security information is stored in thread local variables depending on the SecurityAssociation server attribute. When true, security credentials are a property of threads. When false, security credentials are static global properties avaliable across all threads. Inside the JBoss server VM the server attribute is always true. A client can control this property through the ClientLoginModule multi-threaded boolean property.

                      • 8. Re: Stuck with Security Exception
                        deepa Newbie

                        Thanks for all the help!