I have the callback handler defined in a private class within a servlet. I am wondering if the problem is caused by the login module being unable to access the callback handler when EJBs are called. If this is so how do I define the callback handler so that it is globally accessible, please?
> I have the callback handler defined in a private class within a servlet
Try searching through the forum archives - this sort of stuff has been discussed before.
The bottom line is that you don't need to use any client login modules or callbacks to use the integrated security.
Thanks very much for your help, Luke. I have looked at the posting and am able to get the security working with the form using "j_security_check". However, I am looking to create custom logins and wish to login via the web container once and have the credentials automatically passed to the EJB container so that the process is transparent to the user.
At present I have successfully set up a login page, context and call back handler for the web container. It correctly calls the next JSP. This JSP calls a simple stateless session bean. When the remote interface of the bean is accessed the login module (UsersRolesLoginModule) is instantiated. The problem is that it does not appear to be initialised from the login context used for the web container login. The main reason I say that is because my call back handler that is used for the web container is not called, which I believe it should.
Alternatively, I have incorrectly set up the configuration somewhere, so that the credentials are not being passed from the web container to the EJB container.
I therefore have two questions.
(1) How can I make the EJB container use the same login context as the web container, and thereby use the same the call back handler?
(2) How can I configure JBoss to ensure the credentials are passed from the web container to the EJB container?
I have found a solution that works for me and here is the solution in outline:
WEB TIER LOGIN
For a good understanding of how JAAS works refer to Chapter 9, "Adding Functionality to Your Beans" in "Mastering Enterprise JavaBeans" by Ed Roman: http://www.theserverside.com/books/masteringEJB/index.jsp. It is possible to obtain a free down load from this site. The very important topic that it covers is the use of the doAs() method, which appears to be essential for successfully logging in via the web. I have seen no reference in the JBoss documentation to the need to use doAs(). It was necessary to make my system work, but am still not completely sure whether there is another mechanism within JBoss that avoids the need to use it.
Overview of the Procedure
It is necessary to build a login page, HTML or JSP and a complementary error page. In the action attribute of the form, reference a servlet that performs the calls to the authentication objects and methods. Essentially it contains the calls to the login context and if the login is successful dispatches another JSP. If unsuccessful, it catches the login failure and dispatches the error page.
However, when the login is successful, the dispatched JSP creates another LoginContext object, finds the subject, instantiates the action class and calls this with the Subject.doAs(subject, action) method. The action object returns the remote interface of the EJB (via this call) that is to be used in the JSP. It is important to use the security-domain name when instantiating a new LoginContext. This is the same name that is defined in jboss.xml and jboss-web.xml for the security-domain tag. It is also the same name that is specified in the file conf/catalina/auth.conf. The user name, passwords and roles are specified in the two files users.properties and roles.properties, as described in the JBoss documentation and which can be located in conf/catalina. Another important point is to have both org.jboss.security.ClientLoginModule and org.jboss.security.auth.spi.UsersRolesLoginModule defined in auth.conf, for example as:
I trust this is of some help.
I omitted to say in the previous reply that the callback handler is instantiated in the servlet called by the login form. The callback handler object is then passed as the second argument to the LoginContext constructor.