2 Replies Latest reply on Apr 30, 2005 1:40 PM by Scott Stark

    JAAS Web Security Problem

    Martin Hald Newbie

      Hello,

      I am having some trouble with the JBoss JAAS setup. I have written a series of EJB’s that are protected via JAAS and the JBoss security proxy and successfully deployed them into the JBOSS server, they are tested using a shell executable along with a jaas.conf and jndi.properties and the debugging shows that only a valid username/password allow the execution of the EJB’s.

      The problem I have is when I try and access the EJB’s from the web. I have written a security filter which performs a login using the LoginContext for the duration of the request. From the debugging I can see that the login works successfully. The code fails when the tries to call the EJB when I get:

      java.lang.SecurityException: Authentication exception, principal=null
      org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation
      (SecurityInterceptor.java:165)

      It seems that something within the JBoss web setup is not passing the login credentials. I have edited the login-context.xml to call the appropriate login module (which is called successfully during the security filter which can be seen in my log file). The exception happens in the servlet which calls:

      ServiceLocator locator = ServiceLocator.getInstance();
      SessionCustomerFacadeHome home = (SessionCustomerFacadeHome) locator.getEJBHome(ServiceLocator.SESSION_CUSTOMER_FACADE);
      facade = home.create();
      << exception happens here >>

      Do you have an idea of what is going wrong? Any help is appreciated. Thanks

      Martin

        • 1. Re: JAAS Web Security Problem
          Stephan Sichhart Newbie

          Hi,

          I think I have the same problem.

          When I try to create an EJB by a client application, everthing works fine.
          As soon as use an access from servlet I get this stacktrace.

          16:21:28,236 INFO [STDOUT] java.rmi.AccessException: SecurityException; nested exception is:
           javax.security.auth.login.FailedLoginException: No matching username found in Principals
          16:21:28,236 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:370)
          16:21:28,236 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:125)
          ...
          16:21:28,276 INFO [STDOUT] Caused by: javax.security.auth.login.FailedLoginException: No matching username found in Principals
          16:21:28,276 INFO [STDOUT] at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:103)
          16:21:28,276 INFO [STDOUT] at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:156)
          16:21:28,276 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          16:21:28,276 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          16:21:28,276 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          


          thanks a lot
          /Stephan

          • 2. Re: JAAS Web Security Problem
            Scott Stark Master

            Read the JAAS Howto and how the ClientLoginModule propagates the security context.