11 Replies Latest reply on Sep 19, 2002 1:45 PM by Matthias Lakämper

    JBoss3.0 Authentication-Problem with Client

    Matthias Lakämper Newbie

      Hi,

      i have some Experiences with JBoss 2.4. Now i do the first tests
      with JBoss 3.0. I want to login to the Server from a client-Programm.

      To do this, i have expanded the test.client.TestClient.java - example
      with the login-Algorithm from the JBoss2.4 - example:
      (docs/jaas/howto/SessionClient.java)

      --------------SessionClient------------------------------------------------------------
      String name = args[0];
      char[] password = args[1].toCharArray();
      String example = args[2];
      System.out.println("+++ Running SessionClient with username="+name+", password="+args[1]+", example="+example);
      try
      {
      AppCallbackHandler handler = new AppCallbackHandler(name, password);
      LoginContext lc = new LoginContext("TestClient", handler);
      System.out.println("Created LoginContext");
      lc.login();
      }
      catch (LoginException le)
      {
      System.out.println("Login failed");
      le.printStackTrace();
      }
      --------------SessionClient------------------------------------------------------------

      When i start this Program, i receive the Exception-Message:

      "Unable to locate a login configuration"

      at the line:

      LoginContext lc = new LoginContext("TestClient", handler);

      I have studied the Security-Chapter of the Quick-Start-Guide, but
      i don´t find Information to solve my Problem.

      My Questions are:

      - Has the Login-Algorithm changed in JBoss 3.0 ?
      - do i have to change something in the file "login-config.xml" ?

      I would be glad to get help on my Problem.

      Regards Matthias Lakämper

        • 1. Re: JBoss3.0 Authentication-Problem with Client
          Matthias Lakämper Newbie

          The problem is solved, i have added a Property to the start-Script.

          -Djava.security.auth.login.config=file://C:/JBoss/jboss-3.0.0_tomcat-4.0.3/client/auth.conf

          regards Matthias Lakämper

          • 2. Re: JBoss3.0 Authentication-Problem with Client
            Nathalie Newbie

            Hi,

            I've read the example in jboss\docs\jaas\howto and I was wondering how the method "Principal user = request.getUserPrincipal();" is able to retrieve the user' parameters (login and password). Should these be parameters of the servlet?

            Thanks for help,

            Nathalie

            • 3. Re: JBoss3.0 Authentication-Problem with Client
              Nathalie Newbie

              Hi,

              This method request.getUserPrincipal() is used in SecureEJBServlet.java.

              Thanks for help,

              Nathalie

              • 4. Re: JBoss3.0 Authentication-Problem with Client
                Matthias Lakämper Newbie

                Hi,

                in the moment, my Test-Case uses a client-Application,
                not a servlet.

                To see the actual user for example
                in TestSessionBean.java,
                i have added the lines

                Principal p = mContext.getCallerPrincipal();
                System.out.println("callerPrincipal=" + p );

                in a public function.

                Is that your question ?

                Regards Matthias

                • 5. Re: JBoss3.0 Authentication-Problem with Client
                  Nathalie Newbie

                  Hi,

                  So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
                  Is that correct?

                  In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

                  Thanks,
                  Nathalie.

                  • 6. Re: JBoss3.0 Authentication-Problem with Client
                    Nathalie Newbie

                    Hi,

                    So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
                    Is that correct?

                    In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

                    Thanks,
                    Nathalie.

                    • 7. Re: JBoss3.0 Authentication-Problem with Client
                      Nathalie Newbie

                      Hi,

                      So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
                      Is that correct?

                      In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

                      Thanks,
                      Nathalie.

                      • 8. Re: JBoss3.0 Authentication-Problem with Client
                        Nathalie Newbie

                        Hi,

                        So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
                        Is that correct?

                        In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

                        Thanks,
                        Nathalie.

                        • 9. Re: JBoss3.0 Authentication-Problem with Client
                          Nathalie Newbie

                          Hi,

                          So, your client application checks if the password is correct for the given username (via the DatabaseServerLoginModule that checks in the Database if data are correct) and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the right (via the user's role), to call the Session Bean method.
                          Is that correct?

                          In fact, I've read some examples in other threads of this forum, that use a login.jsp to login to the Database (using a ConfiguredIdentityLoginModule) and then call a Session Bean, which checks that the role of the user is correct. There are no check of password. And I wondered if it was possible to check credentials in a servlet or a jsp via the DatabaseServerLoginModule, with a CallbackHandler for example.

                          Thanks,
                          Nathalie.

                          • 10. Re: JBoss3.0 Authentication-Problem with Client
                            Matthias Lakämper Newbie

                            Hi Nathalie,


                            - So, your client application checks if the password is correct for the given username
                            - (via the DatabaseServerLoginModule that checks in the Database if data are correct)
                            - and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the
                            - right (via the user's role), to call the Session Bean method.
                            - Is that correct?

                            no it´s not exactly correct, the Password is checked from Jboss.

                            Iv´e done the following changes to activate security:

                            Add a new application-Policy

                            ---server\default\conf\login-config.xml------------
                            <application-policy name="sample-domain">

                            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                            <module-option name="usersProperties">sample.users</module-option>
                            <module-option name="rolesProperties">sample.roles</module-option>
                            </login-module>

                            </application-policy>

                            ---server\default\conf\login-config.xml------------


                            -Add a Security-Domain in Jboss.xml
                            ---jboss.xml---------------------------

                            <?xml version="1.0" encoding="UTF-8" ?>
                            <!DOCTYPE jboss (View Source for full doctype...)>

                            <security-domain>java:/jaas/sample-domain</security-domain> <!-- this line is important !!! -->
                            <enterprise-beans>

                            <ejb-name>test/TestBMPEntity</ejb-name>
                            <jndi-name>ejb/test/TestBMPEntity</jndi-name>


                            <ejb-name>test/TestEntity</ejb-name>
                            .
                            .
                            .

                            ---jboss.xml---------------------------


                            Add the following doclet to TestSessionBean.java
                            ---TestSessionBean.java
                            * @ejb:security-role-ref role-name="EchoCaller"
                            * role-link="Echo"
                            *
                            * @ejb:permission role-name="EchoCaller"
                            ---TestSessionBean.java

                            Regards Matthias


                            • 11. Re: JBoss3.0 Authentication-Problem with Client
                              Matthias Lakämper Newbie

                              - So, your client application checks if the password is correct for the given username
                              - (via the DatabaseServerLoginModule that checks in the Database if data are correct)
                              - and the Session Bean security declaration (in ejb-jar.xml) ensures that the user has the
                              - right (via the user's role), to call the Session Bean method.
                              - Is that correct?

                              no it´s not exactly correct, the Password is checked from Jboss.

                              Iv´e done the following changes to activate security:

                              Add a new application-Policy

                              ---server\default\conf\login-config.xml------------
                              <application-policy name="sample-domain">

                              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                              <module-option name="usersProperties">sample.users</module-option>
                              <module-option name="rolesProperties">sample.roles</module-option>
                              </login-module>

                              </application-policy>

                              ---server\default\conf\login-config.xml------------


                              -Add a Security-Domain in Jboss.xml
                              ---jboss.xml---------------------------

                              <?xml version="1.0" encoding="UTF-8" ?>
                              <!DOCTYPE jboss (View Source for full doctype...)>

                              <security-domain>java:/jaas/sample-domain</security-domain> <!-- this line is important !!! -->
                              <enterprise-beans>

                              <ejb-name>test/TestBMPEntity</ejb-name>
                              <jndi-name>ejb/test/TestBMPEntity</jndi-name>


                              <ejb-name>test/TestEntity</ejb-name>
                              .
                              .
                              .

                              ---jboss.xml---------------------------


                              Add the following doclet to TestSessionBean.java
                              ---TestSessionBean.java
                              * @ejb:security-role-ref role-name="EchoCaller"
                              * role-link="Echo"
                              *
                              * @ejb:permission role-name="EchoCaller"
                              ---TestSessionBean.java

                              Regards Matthias