1 2 Previous Next 16 Replies Latest reply on Nov 25, 2003 3:23 AM by jimbrady

    java client

    Jan Radl Newbie

      Hallo all,

      I have a problem with ClientLoginModule. I code very simple SessionBean and very simple java client which should use ClientLoginModule to authenticate user.

      Here are the config files on server-side

      <container-name>Standard Stateful SessionBean</container-name>

      and login-config.xml

      <application-policy name = "exa1">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />
      <module-option name = "password-stacking">useFirstPass</module-option>
      <module-option name = "unauthenticatedIdentity">nobody</module-option>
      <module-option name = "debug">true</module-option>


      On client side I have auth.conf like this:
      client-login {
      // jBoss LoginModule
      org.jboss.security.ClientLoginModule required

      // Put your login modules that need jBoss here

      Short snap-shot of client app:
      static class AppCallbackHandler implements CallbackHandler {
      private String username;
      private char[] password;
      public AppCallbackHandler(String username, char[] password) {
      this.username = username;
      this.password = password;
      public void handle(Callback[] callbacks) throws java.io.IOException,
      UnsupportedCallbackException {
      for (int i = 0; i < callbacks.length; i++) {
      if (callbacks instanceof NameCallback) {
      NameCallback nc = (NameCallback)callbacks
      } else if (callbacks instanceof PasswordCallback) {
      PasswordCallback pc = (PasswordCallback)callbacks
      } else {
      throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback");

      public static void main(String args[]) throws Exception {
      if( args.length != 3 )
      throw new IllegalArgumentException("Usage: username password example");

      String name = args[0];
      char[] password = args[1].toCharArray();
      String example = args[2];
      System.out.println("+++ Running SessionClient with username="+name+", password="+args[1]+", example=
      try {
      System.out.println("before new AppCalllback");
      AppCallbackHandler handler = new AppCallbackHandler(name, password);
      System.out.println("after new AppCalllback");
      LoginContext lc = new LoginContext(example, handler);
      System.out.println("Created LoginContext");
      } catch (LoginException le) {
      System.out.println("Login failed");

      try {
      InitialContext ctx = new InitialContext();
      Object objRef = ctx.lookup("ejb/Salary");
      SalaryHome home = (SalaryHome)javax.rmi.PortableRemoteObject.narrow(objRef,


      I run java client with this script:


      if [ "x$JBOSS_HOME" = "x" ]; then
      export JBOSS_HOME

      $JRE_HOME/bin/java -Djava.security.auth.login.config=auth.conf -classpath .:auth.conf:$JBOSS_HOME/client/jbossall-client.jar:./ejb_sample_client.jar:./ejb_first.jar com.client.SalaryClient "$@"

      1. param is username
      2. param is paasword
      3. param is ID of ClientLoginModule ("client-login") that is spec. in auth.conf

      On server side I have principal equals to null => I=ve got exception like this:
      2003-07-02 17:05:48,151 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Authentication exception, principal=null
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:162)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
      at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invokeHome(CachedConnectionInterceptor.java:215)
      at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:128)
      at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:88)
      at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:243)
      at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:74)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
      at org.jboss.ejb.StatefulSessionContainer.internalInvokeHome(StatefulSessionContainer.java:398)
      at org.jboss.ejb.Container.invoke(Container.java:694)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:359)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
      at sun.rmi.transport.Transport$1.run(Transport.java:148)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
      at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
      at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
      at java.lang.Thread.run(Thread.java:536)

      Pleas help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


        • 1. Re: java client
          Peter Doornbosch Apprentice

          Remove the password-stacking module option from your exa1 policy. You don't need it, and i think i've seen cases previously that were caused by this option...


          • 2. Re: java client
            Jan Radl Newbie

            First thanks for your help.

            I've tried what you said, but the result is the same.


            • 3. Re: java client
              Jan Radl Newbie

              Sorry the exception was changed and now the principal is not null but empty (
              Authentication exception, principal=
              at org. jbos.....


              • 4. Re: java client
                Jan Radl Newbie

                Now It's OK



                • 5. Re: java client
                  philippeback Newbie

                  I have the exact same problem but after 2 days of messing with docs, groups and files, I cannot find the reason why.

                  How did you solved the issue ?

                  Sample files welcome etc.

                  Thanks in advance,


                  • 6. Re: java client
                    Jan Radl Newbie

                    Hi Phil,

                    as attachement I send you my short example of configuration files and client-java app.

                    Good luck


                    • 7. Re: java client
                      philippeback Newbie

                      I've had a look at the sample.
                      I was not too far and this helps tremendously.

                      Thanks a lot for your quick answer !

                      I try it today and post my own version too.

                      • 8. Re: java client
                        philippeback Newbie

                        I tried the sample and it goes trough the whole stack down to the EJB.

                        ... but...

                        I f I give a wrong username and/or password

                        ... it goes trough too.

                        So, the configuration is recognized but the principal is not used.

                        Do your have the same behavior ?

                        Here is the output (from my ant run)

                        [java] before new AppCalllback
                        [java] after new AppCalllback
                        [java] Created LoginContext
                        [java] javax.security.auth.login.LoginContext@f4fb3
                        [java] Subject(Principals{}PublicCredentials{}PrivateCredentials{count=0})
                        [java] 0
                        [java] Got a context
                        [java] Lookup done
                        [java] Got a home
                        [java] Result:Hello Phil

                        • 9. Re: java client
                          fbdoliv Newbie

                          Hello list!!!

                          I'm trying yours examples, but nothing work!!!
                          I'm using ClientLoginModule, for client authentication, but I relly want to do by a database.

                          my auth.conf:
                          client-login {

                          // JBoss LoginModule
                          org.jboss.security.ClientLoginModule required
                          // Put your login modules that need JBoss here

                          my login-config.xml:
                          <application-policy name = "client-login">

                          <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
                          <module-option name = "unauthenticatedIdentity">nobody</module-option>


                          <application-policy name = "MSSQLDbRealm">

                          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "sufficient">
                          <module-option name = "principal">bernauer</module-option>
                          <module-option name = "userName">bernauer</module-option>
                          <module-option name = "password">1234</module-option>
                          <module-option name = "roles">admin</module-option>
                          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>
                          <login-module code ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                          <module-option name="dsJndiName">java:/MSSQLDS</module-option>
                          <module-option name="principalsQuery">select PASSWD from USER_PROFILE where USERNAME=?</module-option>
                          <module-option name="rolesQuery">select USER_ROLE, 'Roles' from USER_ROLE where USERNAME=?</module-option>
                          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>
                          <module-option name = "unauthenticatedIdentity">nobody</module-option>


                          How the docs say, the client app will authenticate by ClientLoginModule, and when do a call to a EJB, the username and pass will be authenticated in the DB. But I have the message:

                          Insufficient method permissions, principal=bernauer, method=create, interface=HOME, requiredRoles=[admin], principalRoles=null

                          How you can see, the roles are null.

                          Please Help!!!
                          And sorry my bad English.....


                          • 10. Re: java client
                            Harald Gliebe Novice


                            your auth.conf is ok. Remove the first login-module entry (with org.jboss.resource.security.ConfiguredIdentityLoginModule) from your login-config.xml. This ConfiguredIdentityModule will always return the configured Principal "bernauer" with no roles, the option "roles" isn't recognized by this module. Since the login with this module always succeds and it has flag="sufficient" the database module isn't called at all.
                            So remove this login-module and try again.


                            • 11. Re: java client
                              fbdoliv Newbie

                              Thanks, Harald, for your help, but....

                              if I remove this login-module, the container can't create the new tables. These username and password are the same for the database admin...

                              I believe that I make a mistake, but this work for me. Exist another way to do this?
                              My mssql-service.xml, if can help:

                              <!-- ======================================================================-->
                              <!-- New ConnectionManager setup for Microsoft SQL Server 2000 driver -->
                              <!-- You may download the latest Microsoft JDBC driver from *Microsoft* -->
                              <!-- http://msdn.microsoft.com/downloads/default.asp?url=/downloads/sample.asp?url=/MSDN-FILES/027/001/779/msdncompositedoc.xml&frame=true -->
                              <!-- Build jmx-api (build/build.sh all) and view for config documentation -->
                              <!-- ===================================================================== -->

                              <!-- Include a login module configuration named MSSQLDbRealm.
                              Update your login-conf.xml, here is an example for a
                              <application-policy name = "MSSQLDbRealm">

                              <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
                              <module-option name = "principal">public</module-option>
                              <module-option name = "userName">bernauer</module-option>
                              <module-option name = "password">1234</module-option>
                              <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>

                              NOTE: the application-policy name attribute must match SecurityDomainJndiName, and the
                              module-option name = "managedConnectionFactoryName"
                              must match the object name of the ConnectionManager you are configuring here.
                              <!--uncomment out this line if you are using the MSSQLDbRealm above -->
                              <depends optional-attribute-name="ManagedConnectionFactoryName">
                              <!--embedded mbean-->


                              <!--<config-property name="ConnectionURL" type="java.lang.String">jdbc:jtds:sqlserver://;DatabaseName=BernauerCRM;User=bernauer;Password=1234</config-property>-->
                              <config-property name="ConnectionURL" type="java.lang.String">jdbc:jtds:sqlserver://;DatabaseName=BernauerCRM</config-property>
                              <config-property name="DriverClass" type="java.lang.String">net.sourceforge.jtds.jdbc.Driver</config-property>
                              <!--set these only if you want only default logins, not through JAAS-->
                              <config-property name="UserName" type="java.lang.String">bernauer</config-property>
                              <config-property name="Password" type="java.lang.String">1234</config-property>

                              <!--Below here are advanced properties -->
                              <depends optional-attribute-name="OldRarDeployment">jboss.jca:service=RARDeployment,name=JBoss LocalTransaction JDBC Wrapper

                              <depends optional-attribute-name="ManagedConnectionPool">
                              <!--embedded mbean-->

                              <!--criteria indicates if Subject (from security domain) or app supplied
                              parameters (such as from getConnection(user, pw)) are used to distinguish
                              connections in the pool. Choices are
                              ByContainerAndApplication (use both),
                              ByContainer (use Subject),
                              ByApplication (use app supplied params only),
                              ByNothing (all connections are equivalent, usually if adapter supports

                              <depends optional-attribute-name="CachedConnectionManager">jboss.jca:service=CachedConnectionManager

                              <depends optional-attribute-name="JaasSecurityManagerService">jboss.security:service=JaasSecurityManager

                              <!--make the rar deploy! hack till better deployment-->

                              And thanks again, for you help!!!!

                              • 12. Re: java client
                                Harald Gliebe Novice

                                Ok, I see, this ConfiguredIdentityModule ist used to specify the db user for MsSQL Server. In that case you shouldn't put the DBLoginModule into that application-configuration in the login-config.xml. Create a new application-configuration with a different name and move the DatabaseServerLoginModule to this configuration.
                                You'll also have to update the jboss.xml for your EJBs and specify this configuration as security-domain:

                                <security-domain>java:/jaas/<name of the configuration</security-domain>


                                • 13. Re: java client
                                  fbdoliv Newbie

                                  Thanks!!! It's working!!!!!

                                  I will help all people with the same problem, I promise!!!

                                  Thanks! Thanks! Thanks!

                                  • 14. Re: java client
                                    Jan Radl Newbie

                                    I've made a mistake in my login-config.xml.

                                    Here is a new one:
                                    <application-policy name = "other">

                                    <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                                    flag = "required">
                                    <module-option name = "password-stacking">useFirstPass</module-option>
                                    <module-option name = "unauthenticatedIdentity">nobody</module-option>
                                    <module-option name = "debug">true</module-option>
                                    </login-module> !!!! here was the mistake


                                    Or you can use DB LoginModule
                                    <application-policy name = "exa2">

                                    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                                    flag = "required">
                                    <module-option name = "dsJndiName">java:/jdbc/FB/eimsprod</module-option>
                                    <module-option name = "principalsQuery">select usr_password from tab02300 where usr_login=?</module-option>
                                    <module-option name = "rolesQuery">select c.grp_label, 'Roles' from tab02300 a, tab00420 b, tab00400 c where a.usr_login=? and a.per_id=b.per_id and b.grp_id=c.grp_id</module-option>
                                    <module-option name = "unauthenticatedIdentity">nobody</module-option>
                                    <module-option name = "password-stacking">useFirstPass</module-option>


                                    I hope it helps you.


                                    1 2 Previous Next