1 Reply Latest reply on Oct 12, 2001 4:48 AM by Konstantin

    More help needed

    Maurice Mills Newbie

      I seem to have figured out basic authentication.

      I can request a "secure" page and get a login box. It even authenticates against a database. The page I request then makes calls to an EJB (see User code below) which work.

      The problem comes when I try to make a link from that page to a new one that uses a different EJB (see RoleManager below). The calls now fail with InsufficientPermissions because the principal is null.

      How do I keep the principal available so all calls to EJBs work?

      My environment is:
      jboss 2.4.1/tomcat 3.2.3

      auth.conf
      ---------
      staffapp {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/Staff"
      principalsQuery="select password from systemusers where userid=?"
      rolesQuery="select r.description, r.rolegroup from role r, userroles ur where ur.userid=? and ur.roleid = r.id"
      unauthenticatedIdentity=nobody
      ;
      };

      client-login {
      org.jboss.security.ClientLoginModule required
      multi-threaded=true
      password-stacking=tryFirstPass
      ;
      };


      web.xml
      -------
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Secure Staffapp</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
      <url-pattern>/htdocs/secure/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>User</role-name>
      <role-name>Echo</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>staffapp</realm-name>
      </login-config>


      jboss-web.xml
      -------------
      <jboss-web>
      <security-domain>java:/jaas/staffapp</security-domain>
      </jboss-web>


      User-ejb-jar.xml
      ----------------
      <ejb-jar>
      <enterprise-beans>

      <ejb-name>User</ejb-name>

      </enterprise-beans>

      <assembly-descriptor>
      <method-permission>


      <ejb-name>User</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      </assembly-descriptor>
      </ejb-jar>


      User-jboss.xml

      <security-domain>java:/jaas/staffapp</security-domain>

      <enterprise-beans>

      <ejb-name>User</ejb-name>
      <jndi-name>framework/User</jndi-name>

      </enterprise-beans>



      RoleManager-ejb-jar.xml
      -----------------------
      <ejb-jar>
      <enterprise-beans>

      <ejb-name>RoleManager</ejb-name>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      </enterprise-beans>

      <assembly-descriptor>
      <method-permission>


      <ejb-name>RoleManager</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      </assembly-descriptor>
      </ejb-jar>


      RoleManager-jboss.xml
      ---------------------

      <security-domain>java:/jaas/staffapp</security-domain>

      <enterprise-beans>

      <ejb-name>RoleManager</ejb-name>
      <jndi-name>framework/RoleManager</jndi-name>

      </enterprise-beans>


        • 1. Just a question
          Konstantin Newbie

          Is the second page also under the same security constraint?

          Just a littlke explanation how it works
          ( security )

          If you request a page which requires some authentication
          ( under securoty constraint )
          An interceptor ( JbossSecurityMgrRealm ) fires and performs authentication ( password checking ) and
          authorization ( assigment of roles ). Then it's checked that user has role required to access web resource.

          Then "principal ( username ) and "credential" ( password ) are stored in


          are store in SecurityAssociation object,
          and then used by EJB invocations.

          After request is processe, this interceptor removes them.

          So, valid principal & credential data are there if
          the page reqires authenticated access.

          In the meanwhile ( when you request unsecured pages )
          your username & password are stored on session in j_username & j_password

          You also have to keep in mind, that principal & credential are also checked on server side - completely independet from frontend stuff. They may even use different login modules.