13 Replies Latest reply on Dec 28, 2001 10:51 AM by Luke Taylor

    Principal does not propagate from servlet to RMI Object (JRM

    Thomas Phan Newbie

      If I have <security-domain>java:/jaas/domain</security-domain> in my jboss.xml, I get:

      [Default] User 'nobody' authenticated.
      [ScheduledJob] Authentication exception, principal=null
      [Default] java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null
      [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null
      [Default] java.lang.SecurityException: Authentication exception, principal=null

      I tried to set "System.setSecurityManager(new RMISecurityManager());" in my RMI server/client before bind/lookup, but still doesn't work

      Details of my setting: http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/

        • 1. Re: Principal does not propagate from servlet to RMI Object
          Luke Taylor Novice

          Hi,

          Are you only using JBoss's JNDI to store the object reference, and using a separate, standalone client and server?

          The message is from the container security interceptor, which means you are calling something (an EJB) through the container invoker, which is itself an RMI server object.

          What is your RMI object doing and what method are you invoking on it? Are you calling an EJB from it?

          • 2. Re: Principal does not propagate from servlet to RMI Object
            Thomas Phan Newbie

            Hi Luke,

            Yes, you are correct. I'm implementing a task scheduler service in a distributed system. Consider that there are multiple web containers and ejb containers, my scheduler thread must run on one and only one of the servers to avoid duplicated execution. In addition, my schedule needs a persistent/centralized storage for remembering the scheduled tasks during the scheduler is offline. As a result, I picked to run a RMI object, which controls scheduled tasks' executions and talks to an entity EJB, on one of my web container

            How may I propagate the principal from my web server to an RMI object, then from the RMI object to the EJB. I'm using Jboss+Tomcat, they share a unique Jboss JNDI, i.e. the RMI object is in the same VM as Tomcat (not on a separate, standalone client and server)

            I don't want update the EJB from a servlet, then notify the RMI to pick up the changes. Any advice you can give, thanks. You have been very helpful :)

            • 3. Re: Principal does not propagate from servlet to RMI Object
              Luke Taylor Novice

              Hi,

              Can't you use messaging for this? A scheduler, with persistent storage of tasks, offline sometimes - sounds very like a messaging sort of architecture.

              Failing that, can't you persist the tasks as entities? There wouldn't be any need to have a distributed scheduler at all then and you could write an MBean to implement it, or something similar?

              RMI doesn't have a standard way of passing security information around, so you would have to reauthenticate from the RMI Server to the EJB - if this is really what you need to do. You could set up a separate user for the RMI Server and log in as you would from a standalone JBoss client.

              Luke.

              • 4. Re: Principal does not propagate from servlet to RMI Object
                Thomas Phan Newbie

                Hi Luke,

                Messaging may not work in my case. Although durable subscription in JMS can handle the offline part, I still need some mechanisms for the publisher part, the problem will still be as hard.

                My application's user need to add/remove tasks in my scheduler's queue on the web page during my application's run-time, not sure if MBean can do that

                I prefer to go with setting up a separate user for the RMI Server, then I'll rely on servlet's secutiy only. Where may I look up the instruction in doing this? May I setup this user during my RMI's runtime? Do I need to setup both the principal and the role?

                Thanks again

                • 5. Re: Principal does not propagate from servlet to RMI Object
                  Thomas Phan Newbie

                  Hi,

                  I added the following code in my RMI server class before looking up my EJB:

                  try {
                  LoginContext lc = new LoginContext("", new AppCallbackHandler("twhphan", ""));
                  lc.login();
                  }
                  catch (LoginException le) { esb.util.Debug.print(le); }

                  where is defined in auth.conf

                  {
                  org.jboss.security.auth.spi.DatabaseServerLoginModule required
                  dsJndiName="java:/<data source>"
                  principalsQuery="select password from User where username=?"
                  rolesQuery="select roleName, NULL from UserRole where username=?"
                  unauthenticatedIdentity=nobody
                  ;
                  };

                  But I get this error when I invoke my RMI method

                  [Default] java.lang.SecurityException: unable to instantiate LoginConfiguration
                  [Default] at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:212)
                  [Default]
                  [Default] at javax.security.auth.login.LoginContext$1.run(LoginContext.java:166)
                  [Default]
                  [Default] at java.security.AccessController.doPrivileged(Native Method)
                  [Default]
                  [Default] at javax.security.auth.login.LoginContext.init(LoginContext.java:163)
                  [Default]
                  [Default] at javax.security.auth.login.LoginContext.(LoginContext.java:319)
                  ...

                  note:

                  i) System.getProperty("java.security.auth.login.config") returns "file:///usr/local/jboss/conf/catalina/auth.conf"
                  ii) AppCallbackHandler implements CallbackHandler, which calls and sets NameCallback and PasswordCallback

                  Am I approching the right direction? What do I miss?

                  • 6. Re: Principal does not propagate from servlet to RMI Object
                    Thomas Phan Newbie

                    1 more thing:

                    I got the same error even if I add an extra domain using the org.jboss.security.ClientLoginModule for the RMI server (client). And I kept using the org.jboss.security.auth.spi.DatabaseServerLoginModule for my EJB (server).

                    Details:
                    lc = new LoginContext("schedule", new AppCallbackHandler("twhphan", ""));

                    {
                    org.jboss.security.auth.spi.DatabaseServerLoginModule required
                    ...
                    };

                    schedule {
                    org.jboss.security.ClientLoginModule required;
                    };

                    • 7. Re: Principal does not propagate from servlet to RMI Object
                      Luke Taylor Novice

                      Have you managed to get it to work standalone - i.e. not in the web container. If you're running Catalina as your web container it will probably be running under a security manager and may not allow you to read the auth.conf file.

                      • 8. Re: Principal does not propagate from servlet to RMI Object
                        Thomas Phan Newbie

                        Hi,

                        Yes, standalone works fine :D

                        I copyed and pasted my code (with minimal modifications) into a JSP file, and it doesn't work there.

                        • 9. Re: Principal does not propagate from servlet to RMI Object
                          Joel Peach Newbie

                          I am running into a similar issue trying to connect from JSP in an out-of-process instance of Tomcat 4.0 to JBoss 2.4. When I try to execute:

                          LoginContext lc = new LoginContext("pas", handler);

                          I get:

                          java.lang.SecurityException: unable to instantiate LoginConfiguration
                          at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:212)

                          After reading through the API docs for JAAS 1.0, the

                          getConfiguration
                          method claims that it throws java.lang.SecurityException if "if the current thread does not have Permission to set the Configuration."

                          This seems to be inline with the earlier post which indicates that a SecurityManager in Catalina may be stopping the action. Further investigation of Catalina documentation reveals that Catalina does include a standard security policy file at:

                          %CATALINA_HOME%/conf/catalina.policy

                          But documentation in the policy file itself states that this policy is only enforced if Catalina is started with the -security option. I've checked the startup.bat file and it appears that I am not starting Catalina with the security policy.

                          My next actions will be to comb the policy file to see if it evens restricts reading the configuration and to re-trace the startup.bat to see if the -security command switch is being used anywhere. I will further test with a custom security policy file that grants all permissions. I'll let you know what I find out.

                          In the meantime, has anyone out there had success with connecting to JBoss from Out-of-Process Tomcat using JAAS that would be willing to share their insight?

                          Much appreciated,

                          -Joel

                          • 10. Re: Principal does not propagate from servlet to RMI Object
                            Luke Taylor Novice

                            Just another thought - where are you putting the configuration file and telling Tomcat where to find it? Or are you setting up the configuration internally?

                            • 11. Re: Principal does not propagate from servlet to RMI Object
                              Joel Peach Newbie

                              Luke,

                              I have the auth.conf file in:

                              %TOMCAT_HOME%\webapps\mywebapp\Web-inf\classses\auth.conf

                              I have tried to tell Tomcat where the file is both by:

                              o - The use of an element inside the element defining the web app in server.xml
                              o - Calling System.setProperty("java.security.auth.login.config", pathToFile);

                              And neither has worked. Still getting the same error.

                              Do you know if there's any way to get the JAAS1.0 source code to see exactly what it's trying to do? It's not available through the JAAS1.0 site.

                              Thank you for your help,

                              -Joel

                              • 12. Re: Principal does not propagate from servlet to RMI Object
                                Peter Levart Newbie

                                JAAS1.0 is now part of the J2SE 1.4 which is in beta3 currently. Download JDK1.4beta3 and look at the src.jar inside it...

                                Peter

                                • 13. Re: Principal does not propagate from servlet to RMI Object
                                  Luke Taylor Novice

                                  > I have tried to tell Tomcat where the file is both by:
                                  >
                                  > o - The use of an element inside the element defining the web app in server.xml
                                  > o - Calling System.setProperty("java.security.auth.login.config", pathToFile);

                                  Umm. Have you tried adding it as an environment variable to tomcat using -Djava.security....?

                                  I think you would want to keep the security config stuff out of your application. Add the JAAS jar files globally to tomcat and specify the property on the command line. See if that works.

                                  Luke.