Well according to what you describe, you haven't implemented / configured any EJB security (where is your JAAS login module?). So it's not surprising that EJBs which you deploy with a security context are not accessible. Of course, if you comment out the security context, then access works, but then you don't have EJB security.
See the online documentation and/or the JavaWorld JBossSX article on how to configure EJB security in JBoss. It is not a trivial matter but believe me, when you follow the steps described in the documentation it works.
You also forgot to perform real login.
To have working security in you app you will need following:
On the backend:
- configured login modules which can authenticate
your username/password and assign roles based on it
- activates security in EJB descriptors
On the frontend:
- configured login modules for the frontend.
Simpliest would be ClientLoginModule which
just saves supplied data for further EJB invocations
- call to this login module from your servlet
NOte that authentication/authorisation on the frontend
and backend is not necessarily the same.
Yourprincipal/credentials will be passed to EJB backend on every invocation
Thanks jwkaltz and ko5tik,
I changed the application so that it uses a ClentLoginModule on the client-side and the DatabaseServerLoginModule on the server-side. I have a class called Authenticate that does the login. The code is as follows:
public boolean authenticated(String user, String pass) throws Exception
boolean login = false;
char password = pass.toCharArray();
AppCallbackHandler handler = new AppCallbackHandler(user, password);
LoginContext lc = new LoginContext("other",handler);
catch (LoginException le)
(For test purposes)When a simple client class calls the above mentioned Authenticate class method, the login takes place perfectly and everything works fine.
However, in the application I have created, the client is a servlet(required) that calls the above mentioned class method to authenticate. However, I get the following messages:
[EmbeddedTomcatSX] Login failed
[EmbeddedTomcatSX] javax.security.auth.login.LoginException: No LoginModules con
figured for other
[EmbeddedTomcatSX] at javax.security.auth.login.LoginContext.init(LoginCont
I know this is happening because when the "LoginContext lc = new LoginContext("other",handler);" is called, it searches for "other" in the jboss.home/conf/tomcat/auth.conf file instead of jboss.home/client/auth.conf file.
Do you know how I can fix this error? Please help!!!
> javax.security.auth.login.LoginException: No LoginModules configured for other
Yeah I fought with that one too. What is happening is that the JAAS API is looking for a file
auth.conf in the system class path, either it didn't find a file at all, or it did but this file doesn't have a JAAS configuration called "other" in it.
> I know this is happening because when the
> "LoginContext lc = new
> LoginContext("other",handler);" is called, it
> searches for "other" in the
> jboss.home/conf/tomcat/auth.conf file instead of
> jboss.home/client/auth.conf file.
Well, if your code is running in your servlet environment, it probably makes sense that it would be looking in the tomcat/auth.conf ? In this case why don't you copy your "other" config to that file too. Or, you name that config "client" (for example) and use that as a LoginContext.
Actually, I haven't been using the embedded tomcat, but have an existing Tomcat which now accesses JBoss. I had some problems because I found out that in the JAAS API it is hard-coded that it calls the System classloader and not the default classloader (which is a different one in Tomcat). In this case, I had to explicitly add the JAAS jar and my own login stuff in the classpath while starting Tomcat. But you shouldn't need to do that if you are using the embedded tomcat.
Keep at it, it will work ...
I really appreciate your help. I got this working after I copied the "other" conf. to the jboss.home/conf/tomcat/auth.conf. I also copied the required jar files from jboss.home/client to jboss.home/conf/tomcat. I can now access a bean after calling the Authenticate class which does the login. I do not logout.
However, when I call the bean from a new location(another class) in the application, I find that I have to login again in order to access the bean. Isn't the
Login context supposed to be stored somewhere till I do a logout? Why do I have to login again and again every time I want to call a method in a bean?
> However, when I call the bean from a new
> location(another class) in the application, I find
> that I have to login again in order to access the
> bean. Isn't the
> Login context supposed to be stored somewhere till I
> do a logout? Why do I have to login again and again
> every time I want to call a method in a bean?
This is not happening in my demo application, but I've also been wondering about this very important issue. Is your other class running in the same thread ?
Can anyone give us some input as to how/where exactly credentials are stored by JBoss; in which case it remembers them between calls and in which case it doesn't ?
(yeah I know, there's the source code - I've actually started looking at it but it would certainly be helpful if we had some more info on this)
Security information is stored in thread local variables depending on the SecurityAssociation server attribute. When true, security credentials are a property of threads. When false, security credentials are static global properties avaliable across all threads. Inside the JBoss server VM the server attribute is always true. A client can control this property through the ClientLoginModule multi-threaded boolean property.
Thanks for all the help!