3 Replies Latest reply on Apr 29, 2003 3:01 PM by Peter Doornbosch

    Close but no cigar

    Joel Rives Newbie

      Slowly, I inch my way towards success. Ok, I seem to have most -- if not all -- of the required pieces connected in the right way. I just have one last hurdle to overcome (yeah, right). My goal is to access my JAAS secured EJBs from a remote, stand-alone client java application. I have pointed my java app at an authorization configuration file by setting the java.security.auth.login.config system property in the following manner:

      System.setProperty("java.security.auth.login.config", "D:\\auth.conf");

      The file auth.conf contains the following:

      ClientRealm
      {
      // jBoss LoginModule
      org.jboss.security.ClientLoginModule
      required
      password-stacking="useFirstPass"
      ;
      };

      This all seems to work fine as I am able to create a LoginContext and call the login() method on the context. However, this does not seem to be propigating my Principal to the server side when I try to access an EJB. I get the following RemoteException:

      java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      java.rmi.ServerException: EJBException:; nested exception is:
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Authentication exception, principal=


      Can anyone see what I am doing wrong here? The ClientLoginModule is supposed to propigate the username and password to the EJB layer during each call but this does not appear to be happening. This is working fine for me when I access the EJB layer from a Servlet in my web app with JBoss/Tomcat running together.

      Any help is greatly appreciated.
      Joel

        • 1. Re: Close but no cigar
          Peter Doornbosch Apprentice

          remove the password-stacking="useFirstPass" option; this should only be used in combination with another login module. In your case, it causes the ClientLoginModule to skip calling your callbacks, which you can easily verify by putting some logging into your callbacks.
          Although the javadoc of the ClientLoginModule suggest that there is a difference between the 'useFirstPass' and 'tryFirstPass' options, this is not the case. In both cases, the login credentials are obtained from the shared-state map.

          Hth
          Peter.

          • 2. Re: Close but no cigar
            Joel Rives Newbie

            Thanks Peter. I had already removed that spurious bit of configuration by the time I saw your reply. However, I am still having problems. I get the following exception after I create the LoginContext and call the login method when I try to access a method on a SLSB:

            Caused by: java.lang.ClassNotFoundException: org.jboss.ejb.plugins.local.EntityProxy (no security manager: RMI class loader disabled)
            at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:368)
            at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:159)
            at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:631)
            at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:257)
            at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:200)
            at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1513)
            at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1435)
            at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1626)
            at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1274)
            at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1845)
            at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1769)
            at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1646)
            at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1274)
            at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1845)
            at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1769)
            at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1646)
            at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1274)
            at java.io.ObjectInputStream.readObject(ObjectInputStream.java:324)
            at java.rmi.MarshalledObject.get(MarshalledObject.java:135)
            at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:140)
            at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:92)
            at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:77)
            at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:80)
            at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:109)
            at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:82)
            ... 16 more

            • 3. Re: Close but no cigar
              Peter Doornbosch Apprentice

              The short answer is that your client is not (yet) allowed to download code; this can be enabled by setting the RMISecurityManager.
              However, i'm a bit surprised that your standalone client apparently has obtained an object of class EntityProxy, which is the proxy for _local_ ejb entity beans. You are not trying to access a local interface from a standalone client, are you??

              Peter