2 Replies Latest reply on Aug 5, 2004 7:26 PM by auckyboy

    Problems Using DabaseServerLoginModule

    Natalia Fill Newbie

      Hi,
      I'm having problems setting up JAAS security in JBoss 3.2.3.
      (I have few years experience as java programmer, but JBoss is relatively new to me). I would be grateful if someone can help me with this problem.
      I configured DatabaseServerLoginModule, set up Principals and Roles tables in HSQL as described in JBoss documentation, written custom CallBack handler.
      When I invoke login from servlet, Subject is found correctly as defined in database tables and login parameters supplied to handler. So user was authenticated: user name and role printed out correctly. The test code is:

      LoginContext loginContext = new LoginContext("client-login", handler);
       loginContext.login();
       Subject subject = loginContext.getSubject();
       System.out.println("Subject from servlet : " + subject.toString());
       accDelegate = new AccountDelegate();
       String message = accDelegate.createAccountFacade();
       System.out.println(message);


      When I try to create AccountFacade bean (stateful session bean), from accDelegate object (Business Delegate and Service Locator design patterns are applied), I get SecurityException insufficient method permissions. Required role=[Buyer] principal roles=null. But servlet already confirmed that the Principal was authenticated with the role 'Buyer'. It looks like the authenticated Subject is not propaged by the container with the next method call.
      The other settings are as follows:

      login-config.xml
      <policy>
       <!-- Used by clients within the application server VM such as
       mbeans and servlets that access EJBs.
       -->
       <application-policy name = "client-login">
       <authentication>
       <login-module code = "org.jboss.security.ClientLoginModule"
       flag = "required">
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- =================================================================================
       LOG IN MODULE added by me
       Login module uses dabase to check user name and password -->
      
       <application-policy name = "dbAuthentication">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">nobody</module-option>
       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- =================================================================================== -->
      
      </policy>
      
      auth.conf
      other {
       // jBoss LoginModule
       org.jboss.security.ClientLoginModule required
       ;
      
       // Put your login modules that need jBoss here
      };
      
      client-login {
       // jBoss LoginModule
       org.jboss.security.ClientLoginModule required
       ;
      
       // Put your login modules that need jBoss here
      };
      
       dbAuthentication {
       // jBoss LoginModule added by me
       org.jboss.security.auth.spi.DatabaseServerLoginModule required
       ;
       unauthenticatedIdentity="nobody";
       dsJndiName="java:/DefaultDS"
      
       // Put your login modules that need jBoss here
      };
      
      jboss.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 3.2//EN" "http://www.jboss.org/j2ee/dtd/jboss_3_2.dtd">
      <jboss>
       <security-domain>java:/jaas/dbAuthentication</security-domain>
       <unauthenticated-principal>nobody</unauthenticated-principal>
       <enterprise-beans>
       <session>
       <ejb-name>AccountFacadeBean</ejb-name>
       <jndi-name>AccountFacadeBean</jndi-name>
       </session>
       <session>
       <ejb-name>AccountControl</ejb-name>
       <jndi-name>AccountControl</jndi-name>
       <local-jndi-name>AccountControlLocal</local-jndi-name>
       </session>
       </enterprise-beans>
      </jboss>
      
      ejb-jar.xml
       ................ other tags ............
       <security-role>
       <role-name>Buyer</role-name>
       </security-role>
       <security-role>
       <role-name>Supplier</role-name>
       </security-role>
       <method-permission>
       <role-name>Buyer</role-name>
       <method>
       <ejb-name>AccountFacadeBean</ejb-name>
       <method-intf>Home</method-intf>
       <method-name>create</method-name>
       </method>
       <method>
       <ejb-name>AccountFacadeBean</ejb-name>
       <method-intf>Remote</method-intf>
       <method-name>getUser</method-name>
       </method>
       </method-permission>
      


      Thank you in advance
      Natalia