2 Replies Latest reply on Jul 29, 2004 6:58 AM by Pablo Martinez

    How to login (security) when using Cactus unit tests?

    Pablo Martinez Newbie

      I have some EJBs with local and remote interfaces and I'm fiding my way with the security configuration. I have test cases that run with JUnit for both remote and local interfaces.
      When I run my test cases for the remote interfaces, I can do the user login (name/password) from the JUnit test cases themselves (using the CallbackHandler -> I learnt about from the "JASS HowTo" doc).

      But now I want to test the "Local" interfaces using Cactus. So I need to do the user login from the Cactus servlet that is invoked from my JUnit client to execute the tests within the container. Again, my test cases will try to do the login using the Callbackhandler. But that strategy doesn't work: at the moment of the invocation to create an EJB the container throws an exception: Principal=null!!

      So if I understand correctly, the user credentials are NOT attached to the EJB context (as it was the case when I did the EJBs invocations remotely, outside of the container)

      ***My question***
      How can I set the user/password when my tests are invoked by the Cactus servlet? That is, when my test cases run *within* the container. I guess that in a normal web application, the server will automatically open a dialog asking the user to login. But I do NOT want that here (in fact there's NO user interaction through the web browser). I need a way to do the login silently.

      Can anyone help ?? Maybe provide some the links to read the solution somewhere else ?? I'd appreciate if some of you would summarize the big picture (and not only give a precise answer).

      Thank u,

      Pablo

        • 1. Re: How to login (security) when using Cactus unit tests?
          Scott Stark Master

          The same as any other java client. See the current JAAS Howto topic in this forum which gives an example of a servlet doing a jaas login via a filter.

          • 2. solved: How to login (security) when using Cactus unit tests
            Pablo Martinez Newbie

            I found the solution to my problem and I decided to write down the explanation in case someone else could ever need it :) Below I also cite a couple of links that helped me out.

            First, I needed to understand the concrete problem I was trying to fix, find a precise definition. And this is it: "invoke secured EJBs from clients running in insecure servlets, doing the login programmatically (without a popup dialog)". More precisely, the servlet is the Cactus servlet and the client are JUnit test cases that test the local interfaces exposed by some EJBs.

            To give you a little more context: I wrote a couple of EJBs with remote and local interfaces. I decided to make the EJBs secure by adding roles constraints for every method. I also wrote some JUnit test cases that run from Eclipse.

            In the case of the *remote* interfaces, I can perfectly run the test cases from Eclipse. As my EJBs are secured, my test cases need to do a *JAAS login* before getting any reference to the home interfaces. This way, the client credentials are passed on to the servlet with every remote method invocation. This (the credentials attachment) is totally transparent for me. All I need to do is the JAAS client login in the test cases. I do that using a Callback handler and using the "client-login" domain to identify the security configuration. The "client-login" domain configuration corresponds to the "ClientLoginModule". This is defined in the file "auth.conf" file that I point to from the "java.security.auth.login.config" System property. It works fine: my test cases can invoke the methods on the remote EJBs deployed on the server.

            Next, I wanted to unit test the local interfaces using Cactus. I simply packed everything in one .ear file, including the .war with the Cactus library and test cases and the .jar with the EJB deployment. I did NOT configure any security for the Cactus servlet. After all, all I want to do is to handle security at the EJB level. I execute the test cases from Eclipse (the cactus framework delegates the invocation to the servlet running on the server). On the server, my test cases are again doing the JAAS login using the CallbackHandler and the "client-login". It is IMPORTANT to notice that in this case, the configuration of the "client-login" domain is retrieved from the "default\conf\login-config.xml" file in the JBoss installation. It's a server thing! This is different from the first scenario, where the actual configuration of the domain is retrieved from the "auth.conf" file (see above).
            And it works fine: although the Cactus servlet is not secured, my test cases can do the JAAS login silently before retrieving the home interfaces and after that the credentials are propagated with every method invocation on the EJBs.

            The problem I posted a couple of days ago was related to the fact that I didn't know that in the two cases (execution of test cases inside/outside the container) the configuration of the login modules is read from different sources.

            I hope the explanation can help someone else out there. I prefer not to post code fragments 'cause then it's more complicated to understand (I prefer text-based explanations that tell a story!).

            References to check out:
            -"Using J2EE security in web application" by Peter Doornbosch (http://www.luminis.nl/publications/websecurity.html)
            -"JASS how to" By Scott Stark (Security forum at http://www.jboss.org)