-
1. Re: SRP: Multiple clients
starksm64 Dec 3, 2004 5:15 AM (in response to sberna)
There are more information that might be important to find out what is the problem.
On the server side i have the following configuration:
<application-policy name = "CustomFwRealm">
<login-module code= "org.jboss.security.srp.jaas.SRPCacheLoginModule"
flag = "required">
<module-option name = "cacheJndiName">srp-fw/AuthenticationCache
</module-option>
</login-module>
<login-module code = "com.security.jaas.FwServerLoginModule"
flag = "required">
<module-option name = "password-stacking">useFirstPass</module-option>
</login-module>
</application-policy>
The FwServerLoginModule is a login module that creates a principal and gets the user roles.
The strange part is that after the the Client application 2 did the login and the Client application 1 calls the method, the login method of this module is called again.
Althought the login returns true i've got the exception
2004-12-07 12:23:15,690 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nmeira
and commit is never called... -
2. Re: CredentialsExpired and AccountExpired exception
sberna Dec 3, 2004 5:28 AM (in response to sberna)With a bit more research i have found the following lines of code on org.jboss.ejb.plugins.SecurityInterceptor
Starting on line 150.
// Check the security info from the method invocation
if (securityManager.isValid(principal, credential) == false)
{
String msg = "Authentication exception, principal=" + principal;
log.error(msg);
SecurityException e = new SecurityException(msg);
throw e;
}
Seems like no matter whatever happens on LoginModule the exception thrown will be SecurityException :(.
Is this a design decision or just something on the TODO?
The JBoss version im using is 3.2.6 -
3. Re: CredentialsExpired and AccountExpired exception
starksm64 Dec 6, 2004 1:24 PM (in response to sberna)The security manager interface does not have an exception so there is no way to propagate an arbitrary exception, and the exception has to conform to the ejb rules. The jaas security manager implementation in 3.2.6+ will save any exception seen under the org.jboss.security.SecurityAssociation contextInfo thread local under the key "org.jboss.security.exception".
-
4. Re: CredentialsExpired and AccountExpired exception
sberna Dec 9, 2004 10:57 AM (in response to sberna)Scott,
I agree that the exception is available from SecurityAdapter, but only inside the same VM :(.
Im using ClientLoginModule from a client standalone application and the exception is not propagated back to the client.
This is to say:
Object exception = SecurityAssociation.getContextInfo("org.jboss.security.exception");
System.out.println("exception:"+exception);
Always returns null on the client side.
I agree that security manager doesnt allow for standard exception propagation but i need a way to send the state back to client.
What would you think about the following modification on SecurityInterceptor (line 150)
// Check the security info from the method invocation
if (securityManager.isValid(principal, credential) == false)
{
Object exception = SecurityAssociation.getContextInfo(AUTH_EXCEPTION_KEY);
if(exception!=null){
//LoginException exception on internal JAAS login module. reThrow.
log.error("Internal JAAS LoginException "+exception);
throw (Exception) exception;
}
String msg = "Authentication exception, principal=" + principal;
log.error(msg);
SecurityException e = new SecurityException(msg);
throw e;
}
The only problem i find is that LoginException does not extend from SecurityException but from GeneralSecurityException which is checked :(. Maybe another approach would be to use SecurityException as a wrapper for the JAAS exception.