-
15. Re: getting Custom Principal in EJBContext.getCallerPrincipa
I am using JBoss [4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)].
-
16. Re: getting Custom Principal in EJBContext.getCallerPrincipa
I am seeing the same behavior: getUserPrincipal() in the web tier returns my custom principal, but getCallerPrincipal() in the EJB tier returns a SimplePrincipal.
I'm also using: [4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)]
Is this a known bug? Does anyone have any workarounds?
Jim -
17. Re: getting Custom Principal in EJBContext.getCallerPrincipa
Here's an update...
I was seeing the same problem in [4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)]. So I downloaded the source code for jboss and added some log statements to find out why the web tier was returning my custom prinicipal but the EJB tier was not. Here's what I found. In the class org.jboss.ejb.EnterpriseContext, line 345, the "if" was failing because RealmMapping rm was null. That's why the call to getCallerPrincipal() in the ejb tier was returning a SimplePrincipal object instead of my custom principal.
I went back to my app and added a <security-domain/> element to the jboss dd (jboss.xml) for my EJB. That fixed the problem. Now I am consistently seeing calls to both getUserPrincipal() in the web-tier and getCallerPrincipal() in the EJB tier return my custom principal object.
Hope this helps...
Jim -
18. Re: getting Custom Principal in EJBContext.getCallerPrincipa
I have the same problem that everyone else has!
I am doing things correctly in my JAAS LoginModule:public class GreenfieldsLoginModule extends AbstractServerLoginModule { ... private void createRoleSets() throws LoginException { SimpleGroup roles = new SimpleGroup("Roles"); // Add roles held by the user. // Currently, the only role is "User". roles.addMember(new GreenfieldsUserRole("User")); SimpleGroup callerPrincipal = new SimpleGroup("CallerPrincipal"); callerPrincipal.addMember(getIdentity()); roleSets = new SimpleGroup[]{ roles, callerPrincipal }; } ... }
It extends AbstractServerLoginModule. The createIdentity() method of that correctly creates my custom principal because I have my login-config.xml set up like this:<!-- Greenfields JAAS login module. --> <application-policy name="Greenfields"> <authentication> <login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">anonymous</module-option> <module-option name="principalClass">com.fcl.security.GreenfieldsUser</module-option> <module-option name="ignorePasswordCase">true</module-option> </login-module> </authentication> </application-policy>
In my JSP pages, request.getUserPrincipal() returns a com.fcl.security.GreenfieldsUser as I expect.
In my first try, my EJB returned a org.jboss.security.SimplePrincipal from ctx.getCallerPrincipal() inside the EJB.
Now I've added the following jboss.xml to my EJB JAR:<?xml version="1.0" encoding="UTF-8"?> <jboss> <security-domain>java:/jaas/Greenfields</security-domain> </jboss>
And it's saying10:54:48,375 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
At the point I'm invoking the EJB's method. It's not even getting into the EJB, it's trying to log in again using the properties files!
This must be so common!. I want it to use the same Principal as the web application so that I can use my own custom principal which knows all about the logged in user, his preferences, and privileges!
How do I do it? -
19. Re: getting Custom Principal in EJBContext.getCallerPrincipa
OK, it's working now.
Below, our security domain is called "Greenfields". Insert your own String there.
They key points are that you must have an empty security domain entry in your jboss.xml!!!!! You must not specify the correct one, otherwise the login will not work!.
This means that you must then annotate your EJBs with
@SecurityDomain("Greenfields")
Then create a .sar file with META-INF/jboss-service.xml like this<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD MBean Service 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd"> <server> <!-- The custom JAAS login configuration that installs a Configuration capable of dynamically updating the config settings --> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss.security.tests:service=LoginConfig"> <attribute name="PolicyConfig" serialDataType="jbxb"> <jaas:policy xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd" xmlns:jaas="urn:jboss:security-config:4.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- Our Greenfields login config --> <jaas:application-policy name="Greenfields"> <jaas:authentication> <jaas:login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required"> <jaas:module-option name="unauthenticatedIdentity">anonymous</jaas:module-option> <jaas:module-option name="principalClass">com.fcl.security.GreenfieldsUser</jaas:module-option> <jaas:module-option name="ignorePasswordCase">true</jaas:module-option> </jaas:login-module> </jaas:authentication> </jaas:application-policy> </jaas:policy> </attribute> <depends optional-attribute-name="LoginConfigService"> jboss.security:service=XMLLoginConfig </depends> <depends optional-attribute-name="SecurityManagerService"> jboss.security:service=JaasSecurityManager </depends> </mbean> </server>
And put your login module into a jar in the SAR. Put the SAR inside the EAR.
In the login module, haveprivate SimpleGroup callerPrincipal = new SimpleGroup("CallerPrincipal"); private SimpleGroup roles = new SimpleGroup("Roles"); private Group[] roleSets = { callerPrincipal, roles };
and in your login method, add your roles to the roles group, and your user principal to the callerPrincipal group.
This is great (if a bit weird), and web components can correctly ascertain the remote user, and the user's roles using request.getUserPrincipal() and request.isUserInRole().
Custom roles added to the roles group must extend org.jboss.security.SimplePrincipal to be propagated to the EJB container.