-
1. Re: Minimum requirement for getCallerPrincipal
jwkaltz Oct 2, 2001 6:11 AM (in response to alistair.black)I have a similar configuration. The minimum you need to do is a JAAS login in your client with a JAAS configuration set to the JBoss ClientLoginModule. This will not perform a real authentication but will bind the credentials to the JBoss layer, and then the getCallerPrincipal() will work.
// auth.conf for the client other { org.jboss.security.ClientLoginModule required; };
Then in your client you perform a JAAS login, something likeUsernamePasswordHandler handler = new UsernamePasswordHandler(name, password); LoginContext lc = new LoginContext(securityContextName, handler); lc.login();
You do not actually need to have a server-side JAAS configuration. But you should, because otherwise your EJBs are open to the world. You also don't need to use the embedded Tomcat stuff but it seems that configuration would be simpler if you did.
Since I am not using the embedded Tomcat (at least not right now), I have written a wrapper for clients to simply JBoss client configuration, see my previous posting title "Proposal for simpler client-side handling" or something like that.
Cheers
Wolfgang
P.S. curiosity : how is EJB security configured in Sybase ? Is it completely proprietary ? -
2. Re: Minimum requirement for getCallerPrincipal
alistair.black Oct 2, 2001 11:33 AM (in response to alistair.black)Hi Wolfgang,
Thanks for your help.
Should I use any other security modules with this or just strip auth.conf to contain just the ClientLoginModule? I guess I would also need to remove any security settings within ejb-jar.xml etc. to avoid no method permission errors etc.
I was getting close with my own custom module which would pass the login stage, but then a null principal would be located upon the actual EJB lookup and it then defaulted to the "unauthenticatedIdentity" property value. I can't really understand what is going on at this stage so I'm gradually creating my own fat class implementation complete with plenty of logging to trace it through. I'm guessing it has something to do with the shared state, but as I said that is only a guess. In the iterim getting it working the way you suggested would be a start and it will at least enable me to demo the server to my colleagues.
Thanks again
Alistair -
3. Re: Minimum requirement for getCallerPrincipal
jwkaltz Oct 3, 2001 4:28 AM (in response to alistair.black)> Should I use any other security modules with this or
> just strip auth.conf to contain just the
> ClientLoginModule?
In your client-side auth.conf yes this is sufficient.
For your other comments, I am not sure. Here is what I did for our demo :
Subclass org.jboss.security.auth.spi.UsernamePasswordLoginModule and use that as a server-side JAAS login module. For the most part, I followed the instructions in Scott Starks' JavaWorld JBossSX article which, I find, gives a better insight into JBossSX than the online doc.