7 Replies Latest reply on Jul 6, 2003 3:47 PM by ereze

    JBoss + Tomcat Authentication

    ereze

      Hi, I am trying to integrate the JAAS into my Struts application running on JBoss 3.0.7 + Tomcat.

      I don't understand what happens when a web client accesses a web protected page (protected by means of declarations in Web.xml).
      Does JBossSX, implementing the authentication, takes over and perform the authentication?
      Then after the WEB page authentication is done, does my Struts action or servlet can invoke EJB methods freely or should it authenticate as well before performing any EJB invocations ?

      Thanks,
      -- Erez

        • 1. Re: JBoss + Tomcat Authentication

          If you configure the security domain in jboss-web.xml
          it will authenticate/authorise at the web access.
          If you configure the security domain in jboss.xml
          it will authenticate/authorise at the ejb.

          Regards,
          Adrian

          • 2. Re: JBoss + Tomcat Authentication

            When a client accesses a web protected page, the servlet container checks whether the user is already logged in and, if not, redirects to the login page. After succesfull login the user is redirected to the page he originally requested.
            When a user is logged in, any call to a protected page will have the correct security credentials associated and subsequent calls to EJBs can be made freely.

            Hth
            Peter.

            • 3. Re: JBoss + Tomcat Authentication
              ereze

              Thanks a lot Peter.

              Just to make sure I got it right.
              Once the user has logged in using the browser, any servlet in that protected area who needs to invoke EJB calls will not have to perform a second login, is that right? Meaning the credentials are already set.

              What security-domain should I use in the
              jboss-web.xml? The same one as the one in the Jboss.xml?

              Now I tried just to get any reaction from the Tomcat ran as part of JBoss but nothing really happens. I don't get the BASIC authentication window when I try to access the site - it just let me in. Is there something wrong with my web.xml:

              <?xml version="1.0" encoding="UTF-8"?>
              <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
              <web-app>

              <servlet-name>action</servlet-name>
              <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
              <init-param>
              <param-name>config</param-name>
              <param-value>/WEB-INF/struts-config.xml</param-value>
              </init-param>
              <init-param>
              <param-name>debug</param-name>
              <param-value>2</param-value>
              </init-param>
              <load-on-startup>2</load-on-startup>

              <servlet-mapping>
              <servlet-name>action</servlet-name>
              <url-pattern>*.do</url-pattern>
              </servlet-mapping>

              <taglib-uri>/tags/struts-bean</taglib-uri>
              <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>


              <taglib-uri>/tags/struts-bean-el</taglib-uri>
              <taglib-location>/WEB-INF/struts-bean-el.tld</taglib-location>


              <taglib-uri>/tags/struts-html</taglib-uri>
              <taglib-location>/WEB-INF/struts-html.tld</taglib-location>


              <taglib-uri>/tags/struts-html-el</taglib-uri>
              <taglib-location>/WEB-INF/struts-html-el.tld</taglib-location>


              <taglib-uri>/tags/struts-logic</taglib-uri>
              <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>


              <taglib-uri>/tags/struts-logic-el</taglib-uri>
              <taglib-location>/WEB-INF/struts-logic-el.tld</taglib-location>


              <taglib-uri>/tags/struts-nested</taglib-uri>
              <taglib-location>/WEB-INF/struts-nested.tld</taglib-location>


              <taglib-uri>/tags/struts-template</taglib-uri>
              <taglib-location>/WEB-INF/struts-template.tld</taglib-location>


              <taglib-uri>/tags/struts-tiles</taglib-uri>
              <taglib-location>/WEB-INF/struts-tiles.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
              <taglib-location>/WEB-INF/c.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/core_rt</taglib-uri>
              <taglib-location>/WEB-INF/c-rt.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
              <taglib-location>/WEB-INF/fmt.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/fmt_rt</taglib-uri>
              <taglib-location>/WEB-INF/fmt-rt.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
              <taglib-location>/WEB-INF/sql.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/sql_rt</taglib-uri>
              <taglib-location>/WEB-INF/sql-rt.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/xml</taglib-uri>
              <taglib-location>/WEB-INF/x.tld</taglib-location>


              <taglib-uri>http://java.sun.com/jstl/xml_rt</taglib-uri>
              <taglib-location>/WEB-INF/x-rt.tld</taglib-location>

              <security-constraint>
              <display-name>Secured Area</display-name>
              <web-resource-collection>
              <web-resource-name>Collection1</web-resource-name>
              <url-pattern>/</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
              Secured Content
              <role-name>User</role-name>
              <role-name>Operator</role-name>
              <role-name>Admin</role-name>
              </auth-constraint>
              <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>
              <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>Secured Area</realm-name>
              </login-config>
              <security-role>
              Site Admnistrator
              <role-name>Admin</role-name>
              </security-role>
              <security-role>
              A member of the site system stuff
              <role-name>Operator</role-name>
              </security-role>
              <security-role>
              Simple user of this site
              <role-name>User</role-name>
              </security-role>
              </web-app>


              Thanks again,

              Erez

              • 4. Re: JBoss + Tomcat Authentication
                ereze

                Ok it finally seems to work...

                Thanks,
                Erez

                • 5. Re: JBoss + Tomcat Authentication
                  ereze

                  I have made some progress but still now I really don't get it.
                  The user enters the site, and gets the login BASIC window (it's just for testing purposes) and after entering the username and password it logs in correctly and I get the page.
                  Then when the user tries to perform something I still I get an error when the servlet or
                  Struts Action tries to invoke a method on the Agent stateless session EJB. I get the following:

                  "No method permissions assigned to method=findByUsername, interface=LOCALHOME"

                  I want to mention that my servlet does not log again using a LoginContext and all that. It just retrieves a reference to the Home Interface and invoke the method. Without security it all works fine.

                  I would really appreciate any help on this, I am a bit stuck here..


                  ---- a snippet from my Struts Action ---
                  try {
                  AgentLocalHome home = getAgentHome ();
                  agent = home.create ();
                  bFree = agent.isUsernameFree (username);
                  }
                  finally {
                  // release, no more needed
                  if (agent != null)
                  agent.remove();
                  }

                  return bFree;



                  (I have included the Jboss error log)

                  Here are my configuration files:

                  web.xml
                  -----------
                  <security-constraint>
                  <display-name>Secured Area</display-name>
                  <web-resource-collection>
                  <web-resource-name>Collection1</web-resource-name>
                  <url-pattern>/</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  Secured Content
                  <role-name>User</role-name>
                  <role-name>Operator</role-name>
                  <role-name>Admin</role-name>
                  </auth-constraint>
                  <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
                  </user-data-constraint>
                  </security-constraint>
                  <login-config>
                  <auth-method>BASIC</auth-method>
                  <realm-name>Secured Area</realm-name>
                  </login-config>
                  <security-role>
                  Site Admnistrator
                  <role-name>Admin</role-name>
                  </security-role>
                  <security-role>
                  A member of the site system stuff
                  <role-name>Operator</role-name>
                  </security-role>
                  <security-role>
                  Simple user of this site
                  <role-name>User</role-name>
                  </security-role>
                  </web-app>

                  --------------------
                  jboss-web.xml
                  --------------------
                  <?xml version="1.0" encoding="UTF-8"?>
                  <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
                  <jboss-web>
                  <security-domain>java:/jaas/other</security-domain>
                  </jboss-web>


                  -------------
                  jboss.xml
                  -------------

                  <security-domain>java:/jaas/other</security-domain>
                  <enterprise-beans>

                  <ejb-name>SequenceGenerator</ejb-name>
                  <local-jndi-name>SequenceGeneratorLocal</local-jndi-name>


                  <ejb-name>Agent</ejb-name>
                  <jndi-name>Agent</jndi-name>
                  <local-jndi-name>AgentLocal</local-jndi-name>


                  <ejb-name>Sequence</ejb-name>
                  <local-jndi-name>Sequence</local-jndi-name>


                  <ejb-name>Profile</ejb-name>
                  <local-jndi-name>Profile</local-jndi-name>


                  <ejb-name>User</ejb-name>
                  <local-jndi-name>User</local-jndi-name>


                  <ejb-name>Search</ejb-name>
                  <local-jndi-name>Search</local-jndi-name>

                  </enterprise-beans>



                  ----------------
                  ejb-jar.xml
                  ----------------
                  <assembly-descriptor>
                  <security-role>
                  <role-name>User</role-name>
                  </security-role>
                  <security-role>
                  <role-name>Admin</role-name>
                  </security-role>
                  <method-permission>
                  <role-name>User</role-name>
                  <role-name>Admin</role-name>


                  <ejb-name>Agent</ejb-name>
                  <method-name>*</method-name>

                  </method-permission>
                  ...
                  </assembly-descriptor>
                  ...


                  ------------------------
                  JBoss error log
                  ------------------------


                  21:42:12,205 ERROR [Engine] ----- Root Cause -----

                  javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
                  No method permissions assigned to method=findByUsername, interface=LOCALHOME

                  at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:191)

                  at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94)

                  at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:133)

                  at org.jboss.ejb.EntityContainer.invokeHome(EntityContainer.java:487)

                  at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(BaseLocalContainerInvoker.java:230)

                  at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110)

                  at $Proxy67.findByUsername(Unknown Source)

                  at services.AgentBean.isUsernameFree(AgentBean.java:227)

                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                  at java.lang.reflect.Method.invoke(Method.java:324)

                  at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:660)

                  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:186)

                  at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:77)

                  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:107)

                  at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:237)

                  at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:98)

                  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:130)

                  at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:208)

                  at org.jboss.ejb.StatelessSessionContainer.invoke(StatelessSessionContainer.java:313)

                  at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invoke(BaseLocalContainerInvoker.java:301)

                  at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:83)

                  at $Proxy72.isUsernameFree(Unknown Source)

                  at web.SignupAction.isUsernameFree(SignupAction.java:180)

                  at web.SignupAction.processBasicInfo(SignupAction.java:110)

                  at web.SignupAction.execute(SignupAction.java:229)

                  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:465)

                  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)

                  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1422)

                  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:523)

                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)

                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)

                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

                  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

                  at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

                  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

                  at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)

                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

                  at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

                  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)

                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

                  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)

                  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)

                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)

                  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)

                  at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)

                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:594)

                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392)

                  at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)

                  at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)

                  at java.lang.Thread.run(Thread.java:536)

                  java.lang.SecurityException: No method permissions assigned to method=findByUsername, interface=LOCALHOME

                  at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:190)

                  at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94)

                  ...
                  ...


                  Thanks a lot,
                  -- Erez






                  • 6. Re: JBoss + Tomcat Authentication
                    haraldgliebe

                    If you have set a security-domain for your EJB and have no permissions assigned to a method of this bean, the container doesn't allow this method to be accessed. Define an 'unchecked' method permisson for these methods in the ejb-jar.xml:

                    <assembly-descriptor>
                    <method-permission>


                    <ejb-name>UncheckedEJB</ejb-name>
                    <method-name>*</method-name>

                    </method-permission>
                    </assembly-descriptor>


                    Regards,
                    Harald

                    • 7. Re: JBoss + Tomcat Authentication
                      ereze

                      It works now. thanks.

                      -- Erez