JBossDeveloper

Matt, have you been able to make any progress on this? It's been driving me up the wall for a week now and I'm about to give up and implement my own security in the web tier.
Any thoughts on how to avoid this would be greatly appreciated!

Yes, it is driving me crazy too. I listed a few of the other (unanswered) related questions in this FAQ post: http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ I've been hoping that the JAAS Guru (Scott Stark) would just magically post an answer (or simply a pointer to the existing code that is managing this for the single-JVM JBoss-Tomcat).
I'll definately let you know if I come up with a solution in the next couple of days.

OK, from looking at this for 30 secs, looks like this could be easy. Check out the 2 classes in:

JBoss-2.4.4-src\contrib\tomcat\src\main\org\jboss\tomcat\security

Then note how in the JBoss-Tomcat bundle (I'm looking at Jboss-2.4.7_Tomcat-3.2.3) has this as the last RequestInterceptor in server.xml:

<!-- JBoss, Perform authentication and authorization using the security-domain
security manager.
-->


gets the Security Mgr through JNDI using

// Get the JBoss security manager from the ENC context
try
{
InitialContext iniCtx = new InitialContext();
securityCtx = (Context) iniCtx.lookup("java:comp/env/security");


This is accessible from outside the JVM right? (e.g. java:comp/env/security)

I hope this is all really this simple. Will try out tonight and post my results tomorrow.

Well, it's a month down the line and I still can't find a solution to this under JBoss 3.0.0, even with the source code.
I'm beginning to believe that I'm gonna have to write my own Servlet Filter to handle security! But that'd be about as portable as a ThinkPad, though.

So, just on the off-chance that someone's had an epiphany of late:
Please, does anyone know how to get my Catalina instance to use the principal that my JBoss 3.0.0 instance is using?

Ditto! This seems like a problem that a lot of people are experiencing. Can someone please post the solution.

How can I get my Catalina instance to TEMPORARILY use the principal that my JBoss 3.0.0 instance is using?

Yoni, I think that you need to use a PrivilegedAction to wrap your access to the ejbs, and then use Subject.doAs - passing in your authenticated subject plus the action.

eg:

public class MyAction implements PrivilegedAction {
public Object run() {
Object somethingToReturn = null;
try{
Context initialContext = new InitialContext();
AnEJBHome anEJBHome = (AnEJBHome)initialContext.lookup("ejb/AnEJB");
AnEJB anEJB = anEJBHome.create();
somethingToReturn = anEJB.getSomethingToReturn();
}
catch (Exception e){}
return somethingToReturn;
}

Object result = Subject.doAs(loggedInsubject,((PrivilegedAction)new MyAction());

By using a PrivilegedAction, security details are propagated along with the call.

I should add that I think this is because prior to logging in and successfully accessing a servlet within security-constraints, there is no wrapper to propagate security details - as it's declared in the web.xml that none are needed!

I really really wish you could get hold of that remote_user, principal and role info though....

KPSeal, I think your best bet is to use a declarative login (which can be automated) & then post-process once complete.

You should be able to get anything you need done that way (bar non single user/pass field auth), and in a more portable manner.

Are you still checking the "wall of silence" for graffiti? :-) I'm wondering exactly what you need done, and I'll try to help if I can!

I am also seeing similar problem. I hope there is a solution for this.

Thanks

Hi mbussa, did Subject.doAs not work for you? You'll get a principal of null if you make ejb calls outside of the security framework.

Was it Application Clients you had trouble with? Here's an example at Sun:

http://216.239.37.100/search?q=cache:8QP3tKW9S2QC:access1.sun.com/codesamples/J2SE-JAASexample-part1.html+Subject.doAs&hl=en&ie=UTF-8

Hi Simon,
I did tried the Subject.doAs(). It didnt work. I was able to get authenticated ( stand alone client ) from jboss server. Able to print the subject. But when i try to create a secure EJB session bean i get security exception " principal is null ". Try the search the web for solutions but no luck.

Thanks

Hi Simon,
BTW, i am getting exceptions at both ends ( server as well as client)

Thanks

Wouldn't wrappers like this break pages that use JSP tags to access EJBs? I.e., you'd have to code access to the EJBs in Java. I suppose you could write your own JSP tags to wrap this access, but that seems like a hack workaround for something that should be functional in Tomcat/JBoss.

The real issue seems to be that you can't share logins and roles properly between Tomcat and JBoss (and probably different web apps on the same server).

WOW. I have never seen an issue go on so long without being resolved....
I have been fighting with JAAS and j_security_check for 2 months now.

I am trying to find out why my principal works fine, but mz roles do not carry over ever?
I get method permission errors but defined run-as attribute on all my ejb's.

I'm the latest one in this mess. Mine doesn't even involve EJBs; all I want to do is a programmatic login in servlet A, which somehow stays stuck to the session such that when the user then visits protected servlet B, they're already logged in with the identity established in A. I have the logincontext part of it worked out, and the login() call succeeds, but it doesn't appear to get stored to the session (the next time I go to B, my form-based authenticator gets called rather than just passing through with the identity I built earlier).

I've seen reference to putting the constructed Subject into the httpsession, but no details. Does this work for my scenario? If so, what session key should I store it on?