isCallerInRole returns no security context-set with webstart
Hi,
I have been fighting this thing for days. I have read the JAAS how to and I've read through the whole forum and still not got this right.
Maybe I've become blind to my own code.
I use jboss-3.2.5.
The architecture of my application is following:
I have an ear that holds one jar package of one single Statefull Session Bean. It also holds one war package of one single html file, one jnlp file (web start init file) and packed and signed jar package
of a web start client application. One thing that I am not quite sure is right way to go, is that I also deploy the client jar as it self inside the ear. Is that a correct approach as on many threads on this forum people are talking about j2ee.clientName jndi attribute?
All of the packages have their own descriptors in place, I'll show them in the end of this post.
The application environment works fine. Both as offline client and from web start deployment.
When I started trying to fix this JAAS thing I first used my own LoginModule and Principal. Authentication worked fine, the problems started when I wanted to use authorization on my SessionBeans methods.
The exception of IllagaState has been around all the time when I call the isCallerInRole in a SessionBean.
'java.lang.IllegalStateException: isCallerInRole() called with no security context. Check that a security-domain has been set for the application'
Now I do the authentication this way: I have client side conf and policy files, policy is AllPermissions and conf uses ClientLoginModule. This is able to put principal and credential using SecurityAssociationHandler and perform login.
After this I create SessionBean that makes its own login using the same code and uses DatabaseServerLoginModule.
I have both in server side client/auth.conf and server/default/conf/login-config.xml set both the ClientLoginModule and DatabaseServerLoginModule in use.
In server.log TRACE it states that the Principal is authenticated and roles are set, after this I can loop through in the SessionBean the lc.getSubject() and the roles are there.
I have stated in the descriptors security roles and method permissions and the security-domain.
I have by now tried this with two session beans and several different options on roles and unchecked and it just feel amazing some has got this right.
Here are the description files and all other conf files.
JaasClient.policy
************************************
grant
{
permission java.security.AllPermission;
};
JaasClient.conf
*************************************
client {
org.jboss.security.ClientLoginModule required;
};
jboss.xml
**************************************
<?xml version="1.0"?>
<security-domain>java:/jaas/Test</security-domain>
<enterprise-beans>
<ejb-name>LoginSessionEJB</ejb-name>
<jndi-name>ejb/LoginSessionHome</jndi-name>
</enterprise-beans>
application.xml
*****************************************
<?xml version="1.0"?>
<!DOCTYPE application PUBLIC
"-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
"http://java.sun.com/dtd/application_1_3.dtd">
<display-name>Test application</display-name>
Test
Test_EJB.jar
<web-uri>Test.war</web-uri>
<context-root>Test</context-root>
Test_Client.jar
ejb-jar.xml
***********************************************
<?xml version="1.0"?>
<!DOCTYPE ejb-jar PUBLIC
"-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN"
"http://java.sun.com/dtd/ejb-jar_2_0.dtd">
<ejb-jar>
<enterprise-beans>
<!-- Business Session Bean -->
<ejb-name>LoginSessionEJB</ejb-name>
session.LoginSessionHome
session.LoginSessionRemote
<ejb-class>session.LoginSessionBean</ejb-class>
<session-type>Stateful</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>USER</role-name>
<role-link>USER</role-link>
</security-role-ref>
<security-role-ref>
<role-name>UNKNOWN</role-name>
<role-link>UNKNOWN</role-link>
</security-role-ref>
</enterprise-beans>
<assembly-descriptor>
<security-role>
USER
<role-name>USER</role-name>
</security-role>
<security-role>
UKNOWN
<role-name>UNKNOWN</role-name>
</security-role>
<method-permission>
<role-name>USER</role-name>
<ejb-name>LoginSessionEJB</ejb-name>
<method-name>*</method-name>
</method-permission>
<method-permission>
<role-name>UNKNOWN</role-name>
<ejb-name>LoginSessionEJB</ejb-name>
<method-name>*</method-name>
</method-permission>
<container-transaction>
<ejb-name>LoginSessionEJB</ejb-name>
<method-name>*</method-name>
<trans-attribute>Required</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
jboss-web.xml
*********************************************
<jboss-web>
<ejb-ref>
<jndi-name>LoginSessionEJB</jndi-name>
<ejb-ref-type>Session</ejb-ref-type>
session.LoginSessionHome
session.LoginSessionRemote
<ejb-link>LoginSessionEJB</ejb-link>
</ejb-ref>
</jboss-web>
web.xml
***************************************************
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!--
<small-icon>images/small_m.png</small-icon>
<large-icon>images/large_m.png</large-icon>
-->
<display-name>Test_Client</display-name>
WebModule to handle the java web start application that will serve as client.
<welcome-file-list>
<welcome-file>Test_Client.html</welcome-file>
</welcome-file-list>
<ejb-ref>
<ejb-ref-name>ejb/LoginSessionHome</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
session.LoginSessionHome
session.LoginSessionRemote
<ejb-link>LoginSessionEJB</ejb-link>
</ejb-ref>
</web-app>
jboss-client.xml
*********************************************************
<jboss-client>
<jndi-name>TestClient</jndi-name>
<ejb-ref>
<ejb-ref-name>LoginSessionEJB</ejb-ref-name>
<jndi-name>LoginSessionEJB</jndi-name>
</ejb-ref>
</jboss-client>
application-client.xml
**********************************************************
<application-client>
<display-name>Test Client</display-name>
<ejb-ref>
<ejb-ref-name>LoginSessionEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
session.LoginSessionHome
session.LoginSessionRemote
</ejb-ref>
</application-client>
login-config.xml
************************************************************
<application-policy name = "Test">
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginMo dule" flag="required">
<module-option name ="dsJndiName">java:/MySqlDS</module-option>
<module-option name="principalsQuery">select password from user where username=?</module-option>
<module-option name="rolesQuery">select role, 'Roles' from role where username=?</module-option>
</login-module>
</application-policy>
I already checked that the indexes of database table cells match the way they are suposed to with this DatabaseServerLoginModule. 0 username, 1 role, 2 repalced by 'Roles'
auth.conf
*********************************************************
srp-client {
// Example client auth.conf for using the SRPLoginModule
org.jboss.security.srp.jaas.SRPLoginModule required
password-stacking="useFirstPass"
principalClassName="org.jboss.security.SimplePrincipal"
srpServerJndiName="SRPServerInterface"
debug=true
;
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
password-stacking="useFirstPass"
;
// Put your login modules that need jBoss here
};
Test {
org.jboss.security.ClientLoginModule required;
org.jboss.security.auth.spi.DatabaseServerLoginModule required;
}
other {
// jBoss LoginModule
org.jboss.security.ClientLoginModule required;
// Put your login modules that need jBoss here
};
For some reason the preview does not show the application.xml properly, hopefully it is readable, the module tags disapeared on it for some reason. I descibe the client as java module in it.
Hopufully someone of you see's what I have done wrong.
Thanks for help in advance
Henri
