3 Replies Latest reply on Jun 19, 2004 1:17 PM by kuchhal

    Security Exception while trying to access secured EJB

    kuchhal Newbie

      Hi!, I am trying a sample EJB application to R&D some security related issues. I want to access EJB through a web application as well as a Swing client. I have set approriate <method-permission> in EJB deployment descriptor. I am using users.properties/roles.properties file for authentication mechanism.
      - On the web application side I am using BASIC authentication and the servlet is able to access the EJB OK, as long as I am using a login/password that has access to the EJB.
      - Now I am trying to access the EJB using a stand alone Java class. These are the things I have tried till now:
      =>Created a InitialContext with appropriate principal, credentials and tried getting a reference to EJB home interface. That resulted in security exception.
      =>Logged into a LoginContext by using appropriate JBossSX classes and then tried getting a EJB home interface. Again security exception.
      Now I am not sure what to do. I read at some places about client side container but not sure what that is. Can anyone give some ideas to try? Is there any other way I can make a swing application and a web applicatin authenticate to EJB container?
      Also can anyone point me to any documentation that gives some idea about how the security credentials gets propagated from web application to EJB container?

        • 2. Re: Security Exception while trying to access secured EJB
          kuchhal Newbie

          I read the article and based on it the following standalone class should be able to access the remote EJB because the logincontext.login() call succeeds. Is there anything wrong with this class?

          ===============================================
          package tutorial.client;

          import java.util.Hashtable;
          import java.util.Iterator;
          import java.util.Set;

          import javax.naming.Context;
          import javax.naming.InitialContext;
          import javax.rmi.PortableRemoteObject;
          import javax.security.auth.callback.*;
          import javax.security.auth.login.LoginContext;
          import javax.security.auth.login.LoginException;

          import tutorial.interfaces.Fibo;
          import tutorial.interfaces.FiboHome;


          public class ClientMain {
          static class AppCallbackHandler implements CallbackHandler
          {
          private String username;
          private char[] password;

          public AppCallbackHandler(String username, char[] password)
          {
          this.username = username;
          this.password = password;
          }

          public void handle(Callback[] callbacks) throws
          java.io.IOException, UnsupportedCallbackException
          {
          for (int i = 0; i < callbacks.length; i++)
          {
          if (callbacks instanceof NameCallback)
          {
          NameCallback nc = (NameCallback)callbacks
          ;
          nc.setName(username);
          }
          else if (callbacks instanceof PasswordCallback)
          {
          PasswordCallback pc = (PasswordCallback)callbacks
          ;
          pc.setPassword(password);
          }
          else
          {
          throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback");
          }
          }
          }
          }

          public static void main(String[] args) {
          FiboHome home;
          String name = "login";
          char[] password = "password".toCharArray();
          try {
          AppCallbackHandler handler = new AppCallbackHandler(name, password);
          LoginContext lc = new LoginContext("TestClient", handler);
          System.out.println("Created LoginContext");
          lc.login();
          } catch (LoginException le) {
          System.out.println("Login failed");
          le.printStackTrace();
          }

          try {
          Hashtable env = new Hashtable();
          env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
          env.put(Context.PROVIDER_URL, "jnp://localhost:1099");
          env.put(Context.OBJECT_FACTORIES, "org.jboss.naming:org.jnp.interfaces");

          Context context = new InitialContext(env);
          Object ref = context.lookup("ejb/tutorial/Fibo");
          home = (FiboHome) PortableRemoteObject.narrow(ref, FiboHome.class);

          env = context.getEnvironment();
          Set keys = env.keySet();
          Iterator it = keys.iterator();
          while (it.hasNext()) {
          Object next = it.next();
          System.out.println("key: " + next + ", value: " + env.get(next));
          }

          Fibo bean = home.create();
          double[] result = bean.compute(5);
          bean.remove();
          System.out.println("The first 5 Fibonacci numbers ");
          for (int i = 0; i < result.length; i++) {
          System.out.println(result
          );
          }
          } catch (Exception e) {
          e.printStackTrace();
          }
          }
          }
          ===============================================

          • 3. Re: Security Exception while trying to access secured EJB
            kuchhal Newbie

            Never mind it is working now. I realized that I should use org.jboss.security.ClientLoginModule in auth.conf instead of org.jboss.security.auth.spi.UsersRolesLoginModule on the client side (standalone class)