4 Replies Latest reply on May 8, 2003 1:44 PM by tschlemmer

    Web/JSP login and JAAS/JBoss

    tschlemmer Newbie

      I'm part of a two person team that is working on doing a web-based administration for our system. I've been working on the CMP/EJB portion of our system and we have a security domain setup for all of our EJBs that we've created.

      I've setup an entry in our login-config.xml file that uses the DatabaseServerLoginModule to obtain password and role information from our DB. I have test code I run with JUnit and I'm able to login to our security domain and access session and entity beans within our defined security domain without any problems.

      Where where we having problem is the guy working on the web front-end. We've got our security domain defined in our jboss-web.xml file but if we try a simple JSP page that creates a LoginContext and attempts to access any method on an EJB within our security domain we get a failure with "insufficient method permissions, principal = null...." error message.

      I've tested "breaking" the defined "principalsQuery" SQL statement and I get an SQL error when I access the test JSP page so I know it's going through our database login but we still don't seem to get a role assigned when a login is done through a JSP page.

      Can anyone point me in the right direction. We have purchased all of the JBoss documentation and it was very helpful to me in getting our database login and security-domain stuff set up.

      I'm not much of a web programmer and have mainly been working on backend portions of the system like the EJBs and database so I'm not sure where to start looking. Our web guy out of frustration has dumped this all on me now so I'm in panic mode at this point since we have a critical deadline coming up.

      Any help is most appreciated.

      Anthony

        • 1. Re: Web/JSP login and JAAS/JBoss
          Adrian Brock Master

          Check your config with
          jmx-console

          The principal will be null unless the jsp page
          is restricted.

          Regards,
          Adrian

          • 2. Re: Web/JSP login and JAAS/JBoss
            Peter Doornbosch Apprentice

            ... and do not perform a login on the LoginContext in the jsp page, but let jboss (/servlet-engite) handles this for you (by making the jsp pages secured, as Adrian suggested).
            You can achieve this by setting up a secured web-collection in the web.xml.

            hth
            peter.

            • 3. Re: Web/JSP login and JAAS/JBoss
              tschlemmer Newbie

              Someone else in another list suggested I also include the ClientLoginModule along with the DatabaseServerLogin module in our application-policy definition in the login-config.xml file so I added the following:

              <login-module
              code = "org.jboss.security.ClientLoginModule"
              flag = "required">
              </login-module>

              It appears that the ClientLoginModule adds the necessary "glue" that allows a non-null principal to be used when method calls are made from the Servlet container into the EJB container.

              I don't know if this is satifactory solution or not but it does work.

              Anthony

              • 4. Re: Web/JSP login and JAAS/JBoss
                tschlemmer Newbie

                Someone else in another list suggested I also include the ClientLoginModule along with the DatabaseServerLogin module in our application-policy definition in the login-config.xml file so I added the following:

                <login-module
                code = "org.jboss.security.ClientLoginModule"
                flag = "required">
                </login-module>

                It appears that the ClientLoginModule adds the necessary "glue" that allows a non-null principal to be used when method calls are made from the Servlet container into the EJB container.

                I don't know if this is satifactory solution or not but it does work.

                Anthony