3 Replies Latest reply on Oct 3, 2001 4:28 AM by J. Wolfgang Kaltz

    Minimum requirement for getCallerPrincipal

    Alistair Newbie

      Hi,

      I've come from a Sybase EA Server background where I was able to code a custom module to authenticate the user connection. I'd like to be able to do the same with JBoss which I'm piloting at present. The authentication involves calling an EJB from the custom module. We're using Tomcat outside of the container with JBoss 2.4.1, and an Apache web server at the front end.

      To get JAAS to work do I need to have Tomcat running within JBoss? If I do this, can I still use Apache at the front end? My assumptions come from the need to use the LoginContext and I can't see how I can get this to work outside of the JBoss wrapper.

      The bare minumum requirement I have at present is to enable the use of getCallerPrincipal() from with EJBs to obtain the user name. We we were using this within EA Server without the need for a JAAS login prior to obtaining the InitialContext within the clients.

      I've tried to implement the various Login Modules within the JBossSX but with little success - presumably due to the lack of LoginContext. Is there a way to by pass this at all?

      Any help will be really appreciated.

      Confused

      Alistair

        • 1. Re: Minimum requirement for getCallerPrincipal
          J. Wolfgang Kaltz Novice

          I have a similar configuration. The minimum you need to do is a JAAS login in your client with a JAAS configuration set to the JBoss ClientLoginModule. This will not perform a real authentication but will bind the credentials to the JBoss layer, and then the getCallerPrincipal() will work.

          // auth.conf for the client
           other {
           org.jboss.security.ClientLoginModule required;
           };
          


          Then in your client you perform a JAAS login, something like

           UsernamePasswordHandler handler = new UsernamePasswordHandler(name, password);
           LoginContext lc = new LoginContext(securityContextName, handler);
           lc.login();
          


          You do not actually need to have a server-side JAAS configuration. But you should, because otherwise your EJBs are open to the world. You also don't need to use the embedded Tomcat stuff but it seems that configuration would be simpler if you did.

          Since I am not using the embedded Tomcat (at least not right now), I have written a wrapper for clients to simply JBoss client configuration, see my previous posting title "Proposal for simpler client-side handling" or something like that.

          Cheers
          Wolfgang

          P.S. curiosity : how is EJB security configured in Sybase ? Is it completely proprietary ?



          • 2. Re: Minimum requirement for getCallerPrincipal
            Alistair Newbie

            Hi Wolfgang,

            Thanks for your help.

            Should I use any other security modules with this or just strip auth.conf to contain just the ClientLoginModule? I guess I would also need to remove any security settings within ejb-jar.xml etc. to avoid no method permission errors etc.

            I was getting close with my own custom module which would pass the login stage, but then a null principal would be located upon the actual EJB lookup and it then defaulted to the "unauthenticatedIdentity" property value. I can't really understand what is going on at this stage so I'm gradually creating my own fat class implementation complete with plenty of logging to trace it through. I'm guessing it has something to do with the shared state, but as I said that is only a guess. In the iterim getting it working the way you suggested would be a start and it will at least enable me to demo the server to my colleagues.

            Thanks again

            Alistair

            • 3. Re: Minimum requirement for getCallerPrincipal
              J. Wolfgang Kaltz Novice

              > Should I use any other security modules with this or
              > just strip auth.conf to contain just the
              > ClientLoginModule?

              In your client-side auth.conf yes this is sufficient.

              For your other comments, I am not sure. Here is what I did for our demo :
              Subclass org.jboss.security.auth.spi.UsernamePasswordLoginModule and use that as a server-side JAAS login module. For the most part, I followed the instructions in Scott Starks' JavaWorld JBossSX article which, I find, gives a better insight into JBossSX than the online doc.