2 Replies Latest reply on May 7, 2003 5:27 AM by Jayaprakash

    Push Principal/Roles to EJB Problem

    Joel Rives Newbie

      I am new to JAAS. So, part of my problem is not knowing what to expect. Here is what I am trying to do:

      My intention is have a client app prompt the user for a username and password and to have this information automatically propigated to the EJBContext whenever I invoke an EJB call -- in addition to checking for Container managed Role permissions. From the documentation I have read, JBoss is suppose to support this behavior. My limited understanding of this process is that the client must authenticate using the org.jboss.security.ClientLoginModule.

      Access to my Entity and Session Beans are all protected by a single Role (via the <method-permission> tag in my ejb-jar.xml deployment descriptor)

      I have defined the following 2 application policies in login-config.xml:

      <application-policy name = "MyClientRealm">

      <login-module
      code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      <application-policy name = "MyDbRealm">

      <login-module
      code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "dsJndiName">
      java:nuschoolDS
      </module-option>
      <module-option name = "principalsQuery">
      select password from User where userId=?
      </module-option>
      <module-option name = "rolesQuery">
      select Role.roleName, Role.roleGroup from Role, User where Role.roleId=User.roleId and User.userId=?
      </module-option>
      </login-module>

      </application-policy>

      I have established the server side domain with the following tag in the jboss.xml deployment descriptor:

      <security-domain>java:/jaas/MyDbRealm</security-domain>

      I have a single user in my database, which is associated with the required role.

      Currently, I have been trying two different scenarios. In the first, I am deploying an EAR to jboss-3.2.0_tomcat-4.1.24 combined server. The deployed web app prompts a user for a username and password. These values are then passed into the follwoing code:

      UsernamePasswordHandler handler = new UsernamePasswordHandler(userId, password.toCharArray());

      try
      {
      // System.setProperty("java.security.auth.login.config", "d:\\auth.conf");
      loginContext = new LoginContext("MyClientRealm", handler);
      loginContext.login();
      Subject subject = loginContext.getSubject();
      logger.info("Logged in as: " + subject.toString());
      }
      catch (LoginException le)
      {
      abort("Authentication failed", le);
      }


      Note the following commented section in the code:

      // System.setProperty("java.security.auth.login.config", "d:\\auth.conf");

      This was there because I was experimenting based on some examples and comments that I have seen regarding this scenario. The auth.conf file referred to above contains the follwing entry:

      other {
      // jBoss LoginModule
      org.jboss.security.ClientLoginModule required
      password-stacking="useFirstPass"
      ;
      };

      I have also tried uncommenting the set properties line and changing the LoginContext construction to the following:

      loginContext = new LoginContext("other", handler);

      In the first case, the log output of the returned Subject shows it to be empty -- i.e. no Principals, etc.... Subsequent calls to the EJB side result in a validation error.

      In the second case, the LoginContext constructor is picking up the "other" realm as defined in the login-config.xml file instead of my auth.conf file. This, of course, fails because I do not have the required support files user. properties and role.properties and is not the behavior I am looking for anyway.

      I have been able to authenticate by going directly to the MyDbRealm with the LoginContext on the client side. However, doing so does not propigate the Principal and Role information to the EJBContext. So, my code on the EJB side which depends upon finding the caller Principal in it's context, fails. However, it does confirm that my application policy is set up correctly.

      Any help with regards to this will be greatly appreciated. Even if you can tell me whether I am on the right path or not would be useful.

      Thanks,
      Joel Rives