3 Replies Latest reply on Sep 28, 2004 11:32 AM by sdfsd fsdfs

    A web app acting as security proxy

    Dan Thompson Newbie

      I have a secure ejb app, and I need the web app to access it. BUT I don't want the users to authenticate, I want the web container to authenticate.

      So basically the web container acts as a security proxy, authenticating itself, so the users don't have to. and acting on their behalf in order to access the EJB app.

      HOW the heck do I get there... I understand what to do if I had a stand-alone java app I'd configure the clientLoginModule. Is the web contianer configurable somehow to do this?

      dt

        • 1. Re: A web app acting as security proxy
          Dan Thompson Newbie

          AH... UsersRolesLoginModule with unauthenticatedIdentity module option....

          Thanks all

          • 2. Re: A web app acting as security proxy
            piobair Newbie

            I'm doing something similar to this, but haven't managed to find the secret sauce that works yet.

            Using JBOSS 3.2.4 . . .

            What's really confusing is that I can get things to work flawlessly from a stand-alone JUnit. But, once run inside a servelet container I get a classic principal=null exception.

            The client is using hte ClientLoginModule, which shouldn't be attempting to authenticate at the client, right? However the exception is being thrown from the login() method!


            Only thing fancy here is the classpath lookup of the auth.config (which is executing okay).
            private LoginContext lc = null;

            public void login() {
             Properties creds = ConfigurationLocator.getProperties(CREDENTIALS_KEY);
            
            
             URL seedFile = this.getClass().getClassLoader().getResource(LOGIN_CONF);
             String path = seedFile.getPath();
             System.setProperty(LOGIN_CONF_PROP, path);
            
             String user = creds.getProperty(PRINCIPAL);
             String pass = creds.getProperty(CREDENTIAL);
             CallbackHandler handler = new LoginCallbackHandler(user, pass.toCharArray());
             try {
             lc = new LoginContext(creds.getProperty(REALM), handler);
             lc.login();
             } catch (LoginException e) {
             e.printStackTrace();
             }
             }


            client auth.conf:
            clientRealm {
             org.jboss.security.ClientLoginModule required;
            };



            server login-conf.xml
            <application-policy name = "messageGateRealm">
             <authentication>
             <login-module code="org.jboss.security.ClientLoginModule"
             flag="required"/>
            
             <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             <module-option name="unauthenticatedIdentity">nobody</module-option>
             </authentication>
             </application-policy>