1 Reply Latest reply on Mar 18, 2002 6:50 PM by zzz

    calls to secured ejb beans failed

    Alexander Ho Newbie

      Hi,

      I am using JBoss 2.4.4 and Tomcat 4.0.1. I have recently started working on JAAS. At the moment, I am having a problem that I need help on.

      I created an entity bean "CDBean" and in ejb-jar.xml, I have:

      ...
      <method-permission>
      <role-name>Admin</role-name>

      <ejb-name>CDBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      ...

      specifying that a user with Admin role can access all of the methods in this "CDBean".

      I am using UsersRolesLoginModule. Both users.properties and roles.properties files are also in place.

      Then, for testing, I created an application client to call one of the methods in "CDBean" and the call failed with an error from JBoss:

      [java] java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      [java] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      [java] java.lang.SecurityException: Authentication exception, principal=null

      The failure is due the empty username (principal).

      How come it doesn't prompt for a username/password? (I get a prompt in a new window when accessing a secured servlet for the first time)

      I have searched the forum for help and found that some have talked about a form-based authentication. Is this a way to get around the problem?

      The ideal solution I have in mind is:

      1. prompts for a username and password the first time a user enters a new session.

      2. pass this info to EJB container for authentication using the info in *.properties files.

      3. if the user is valid, the user can access resources in EJB beans and servlets if permissions allow him to without ever prompting for a username/password again.

      4. if the same user goes into a new session, he is prompted again for username/password.

      However, when I have both servlets and ejbs integrated, it works great if the first call is to a servlet: I get a new window for username/password and the login info is carried throughout the session.

      I guess I don't want to wait for the automatic prompt from the container. Instead, I want to manually prompt for login info in the very beginning and have containers recognize the login info for EJB beans, jsp, and servlets.

      Anyone can point me to an example?

      Any help is appreciated.

        • 1. Re: calls to secured ejb beans failed
          zzz Newbie

          Hi,

          I had the same problem when calling a secured EJB. I always had an exception which said principal=null.
          If you want your EJB's to be secured you have to have security on your client side - servlets ot jsps.
          In the beginnig I was thinking that I can add security only to my EJB-tier and that when my EJB's are secured I didn't need to add security in the client side.But it always gave me that error, that principal=null. So first you have to have your principal authenticated in the client side and after that when the servlet or jsp calls a secured EJB method the credentials will be propagated to the EJB by the container.
          You can use a form-based authentication. You'll have to make your own page for login and when someone tries to access a secured servlet or jsp, the login page will appear.

          I hope this helps.