2 Replies Latest reply on Nov 22, 2005 12:46 PM by Scott Stark

    cant get SecurityAssociation.setServer(); to work

    Nathaniel Auvil Newbie

      I was under the assumption, a call to SecurityAssociation.setServer() binds the local thread's authentication information to the container. Is this an incorrect assumption?

      I tried the following code and my LoginModule says i am authenticated, but if i try to access another page once this Servlet returns, i am forced to login again.

      If i submit to j_security_check from the HTML form my LoginModules work so I know there is no problem there. Or wait, should the SecurityAssociation.setServer(); be in the commit() method of LoginModule?

      package com.test.prototype.servlets;

      import java.io.IOException;
      import java.io.PrintWriter;
      import java.security.Principal;
      import javax.naming.Context;
      import javax.naming.InitialContext;
      import javax.naming.NamingException;
      import javax.servlet.ServletConfig;
      import javax.servlet.ServletException;
      import javax.servlet.http.HttpServlet;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      import javax.servlet.http.HttpSession;

      import javax.security.auth.login.LoginContext;
      import javax.security.auth.login.LoginException;
      import javax.security.auth.*;

      import com.test.prototype.authentication.AppCallbackHandler;

      import org.jboss.security.*;

      public class LoginServlet extends HttpServlet
      private boolean firstTime= true;

      public void service( HttpServletRequest request, HttpServletResponse response ) throws ServletException, IOException

      //---call this servlet two times just for testing purposes
      if( firstTime )
      String alias= request.getParameter( "alias2" );
      String username= request.getParameter( "username2" );
      String password= request.getParameter( "password2" );

      System.out.println( "trying to forward to 'j_security_check'...." );
      String path =new StringBuffer("j_security_check?j_username=").append(username).append("&j_password=").append(password).toString();
      request.getRequestDispatcher(path).include(request, response);

      System.out.println( "...alias= " + alias );
      System.out.println( "...userName= " + username );
      System.out.println( "...password= " + password );

      AppCallbackHandler handler= new AppCallbackHandler( username, ( alias + "##" + password ).toCharArray() );
      LoginContext lc = new LoginContext( "test", handler );
      System.out.println("....Created LoginContext");

      System.out.println( "....SecurityAssociation.setServer() called." );

      //this.callEcho( request, response );

      Subject subject = lc.getSubject();
      System.out.println( "....subject= " + subject );

      //response.sendRedirect( "index.html" );

      catch (LoginException le)
      System.out.println("....Login failed");

      response.sendRedirect( "LoginForm.html" );

      firstTime= false;

      PrintWriter out = response.getWriter();
      out.println("Just logged in....");

      out.println( "" );

      Principal principal= request.getUserPrincipal();
      if( principal != null )
      out.println( "request.getUserPrincipal().getName()= " + request.getUserPrincipal().getName() );
      out.println( "request.isUserInRole( 'echo' )= " + request.isUserInRole( "echo" ) );
      out.println( "request.isUserInRole( 'Echo' )= " + request.isUserInRole( "Echo" ) );

      out.println( "-----> request.getUserPrincipal() was NULL!!!" );


        • 1. Re: cant get SecurityAssociation.setServer(); to work
          Erik Sliman Apprentice

          Shameless bump.

          I have a situation where the client to JBoss is a multi-threaded server to other clients. It uses two basic JNDI authentications, one on behalf of the clients, and one for itself. The problem is that after it obtains a remote interface using its own authentication, when it logs in on behalf of clients (as guest), it gets a security exception when calling methods on the remote interfaces it has for itself. This is because the SecurityAssociation is scoped to the whole application/JVM.

          Ideally it would preserve its context from the time the remote EJB was instantiated. Short of that, however, I'd at least like to get it to scope to threads, as it's likely that it will never act on behalf of clients in the same thread it's using its own remote interfaces.

          I tried creating two EJB modules in the same EAR with different security domains, and that didn't do the trick. In this setup the guest authentication was isolated to calls to one EJB module and the host authentication to another. Should I even bother to try to put the EJB modules in separate EARs?

          • 2. Re: cant get SecurityAssociation.setServer(); to work
            Scott Stark Master

            By default the SecurityAssociation uses class level statics for singleton behavior. Inside of the jboss server this is set to ThreadLocal mode(or InheritableThreadLocal depending on a system property). The jboss ClientLogin module multi-threaded flag does the same thing.