5 Replies Latest reply on Mar 6, 2002 7:05 PM by Roger

    Login with UsersRolesLoginModule

    Roger Newbie

      Hi Folks,

      Please forgive me if this is a trivial question, but I have been working on the problem for ages, read and re-read the documentation and am still stuck. I have also managed to get the example in the Jaas HowTo working on 2.4.1a with embedded Tomcat.

      I am currently running JBoss 2.4.4 with embedded Tomcat 4.0.1 on Redhat Linux 7.0. I am trying to login from a JSP with form based login (because the docs say basic doesn't work with Tomcat 4.0.1) but seem unable to pass the credentials across to the EJB layer. In the Web layer I can successfully login, but when I try to access a stateless session bean from a JSP I receive the following error:
      [INFO,EmbeddedCatalinaServiceSX] jsp: init
      [INFO,EmbeddedCatalinaServiceSX] Authenticate: init
      [INFO,Default] +++ Running SessionClient with username=xyz, password=abc
      [INFO,Default] Created LoginContext
      [INFO,EmbeddedCatalinaServiceSX] SecureJSP: init
      [INFO,EmbeddedCatalinaServiceSX] SecureJSP: init
      [DEBUG,UsersRolesLoginModule] Bad password for username=null
      [ERROR,SecurityInterceptor] Authentication exception, principal=null
      [ERROR,EmbeddedCatalinaServiceSX] ApplicationDispatcher[/Security] Servlet.service() for servlet SecureJSP threw exception

      I can give more details of my installation if required, but will omit them for now in the interests of space.

      What I think I fail to understand is how to use handles or objects to pass this information across the application. The main difficulty that I am having with the documentation is that all the examples use stand alone clients and not JSPs with supporting servlets. What would be most helpful is a mini working example, but any suggestions would be gratefully received.


        • 1. Re: Login with UsersRolesLoginModule
          Roger Newbie

          I have the callback handler defined in a private class within a servlet. I am wondering if the problem is caused by the login module being unable to access the callback handler when EJBs are called. If this is so how do I define the callback handler so that it is globally accessible, please?


          • 2. Re: Login with UsersRolesLoginModule

            > I have the callback handler defined in a private class within a servlet


            Try searching through the forum archives - this sort of stuff has been discussed before.

            e.g. http://main.jboss.org/thread.jsp?forum=49&thread=7766

            The bottom line is that you don't need to use any client login modules or callbacks to use the integrated security.


            • 3. Re: Login with UsersRolesLoginModule
              Roger Newbie

              Thanks very much for your help, Luke. I have looked at the posting and am able to get the security working with the form using "j_security_check". However, I am looking to create custom logins and wish to login via the web container once and have the credentials automatically passed to the EJB container so that the process is transparent to the user.

              At present I have successfully set up a login page, context and call back handler for the web container. It correctly calls the next JSP. This JSP calls a simple stateless session bean. When the remote interface of the bean is accessed the login module (UsersRolesLoginModule) is instantiated. The problem is that it does not appear to be initialised from the login context used for the web container login. The main reason I say that is because my call back handler that is used for the web container is not called, which I believe it should.

              Alternatively, I have incorrectly set up the configuration somewhere, so that the credentials are not being passed from the web container to the EJB container.

              I therefore have two questions.
              (1) How can I make the EJB container use the same login context as the web container, and thereby use the same the call back handler?
              (2) How can I configure JBoss to ensure the credentials are passed from the web container to the EJB container?


              • 4. Re: Login with UsersRolesLoginModule
                Roger Newbie

                I have found a solution that works for me and here is the solution in outline:

                WEB TIER LOGIN
                For a good understanding of how JAAS works refer to Chapter 9, "Adding Functionality to Your Beans" in "Mastering Enterprise JavaBeans" by Ed Roman: http://www.theserverside.com/books/masteringEJB/index.jsp. It is possible to obtain a free down load from this site. The very important topic that it covers is the use of the doAs() method, which appears to be essential for successfully logging in via the web. I have seen no reference in the JBoss documentation to the need to use doAs(). It was necessary to make my system work, but am still not completely sure whether there is another mechanism within JBoss that avoids the need to use it.

                Overview of the Procedure
                It is necessary to build a login page, HTML or JSP and a complementary error page. In the action attribute of the form, reference a servlet that performs the calls to the authentication objects and methods. Essentially it contains the calls to the login context and if the login is successful dispatches another JSP. If unsuccessful, it catches the login failure and dispatches the error page.

                However, when the login is successful, the dispatched JSP creates another LoginContext object, finds the subject, instantiates the action class and calls this with the Subject.doAs(subject, action) method. The action object returns the remote interface of the EJB (via this call) that is to be used in the JSP. It is important to use the security-domain name when instantiating a new LoginContext. This is the same name that is defined in jboss.xml and jboss-web.xml for the security-domain tag. It is also the same name that is specified in the file conf/catalina/auth.conf. The user name, passwords and roles are specified in the two files users.properties and roles.properties, as described in the JBoss documentation and which can be located in conf/catalina. Another important point is to have both org.jboss.security.ClientLoginModule and org.jboss.security.auth.spi.UsersRolesLoginModule defined in auth.conf, for example as:
                TestSecurityDomain {
                org.jboss.security.ClientLoginModule required
                org.jboss.security.auth.spi.UsersRolesLoginModule required

                I trust this is of some help.

                • 5. Re: Login with UsersRolesLoginModule
                  Roger Newbie

                  I omitted to say in the previous reply that the callback handler is instantiated in the servlet called by the login form. The callback handler object is then passed as the second argument to the LoginContext constructor.