3 Replies Latest reply on Dec 16, 2004 4:54 PM by rkite01

    Principle looses login and password when bean is called remo

    rkite01
    rkite01 Dec 15, 2004 10:18 AM

      I am using JBoss 3.2.3, eventually we will upgrade to 4.x. We have a requirement that connections from our JDBC pool assume the users login and password so that database logs reflect who performed what actions. This has been working for us as long as the client call is from the integrated tomcat. When a call is made from a swing client to a session bean the principal passed has the default login and password not the correct one passed from the client JAAS login. On the swing client I set auth.conf with a JVM parameter -Djava.security.auth.login.config=D:\Projects\jboss3\client\auth.conf and it works as far as security is concerned allowing the call but the principal passed to JBoss does not have the login and password of the user calling it. Thus database access reflects the default login and password from the JDBC pool not the user calling it.

      What do I need to do to get swing clients working properly? The swing client uses jars from <jboss-install>/client.

      Thanks
      Rodney

      • 2875 Views
      • Tags:
        • 1. Re: Principle looses login and password when bean is called
          tcherel
          tcherel Dec 15, 2004 10:52 AM (in response to rkite01)

          I do not have an answer to your question (sorry) but I ma curious to know how you configured the JDBC source in JBoss in order for it to use the client identity to connect to the database.
          Could should send some details about this configuration?

          Thanks.

            • Actions
          • 2. Re: Principle looses login and password when bean is called
            starksm64
            starksm64 Dec 16, 2004 1:44 PM (in response to rkite01)

            You'll have to describe the security settings on the database datasource. If the ejb is secured and this is working, and your using the CallerIdentityLoginModule then the identity used to access the ejb should be seen at the database.

              • Actions
            • 3. Re: Principle looses login and password when bean is called
              rkite01
              rkite01 Dec 16, 2004 4:54 PM (in response to rkite01)

              This works well as long at the caller of the Bean is from the integrated Tomcat meaning it passes security and assumes the correct login and password from the principal. It partially works when called from a swing app or Tomcat running in a seperate JVM since it passes JAAS security by allowing the call but the principal will have the default login and password not the one passed from the client login. I can see different data returned since the default user has more restricted database access than the logged in person. Also an anomaly, If the first call to the app server after startup is from the integrated Tomcat then subsequent calls from the swing app do work and when the principal is viewed in the debugger the correct login and password appears.

              This is from sybase-ds.xml

              <local-tx-datasource>
              <jndi-name>jdbc/tcAimsIIDB</jndi-name>
              <connection-url>jdbc:sybase:Tds:TIGGER:5000</connection-url>
              <driver-class>com.sybase.jdbc2.jdbc.SybDataSource</driver-class>
              <user-name>web_user</user-name>
              web_user_pass
              <security-domain>SybaseDbRealm</security-domain>
              <min-pool-size>1</min-pool-size>
              <max-pool-size>6</max-pool-size>
              </local-tx-datasource>

              This is from login-config.xml

              <application-policy name="SybaseDbRealm">

              <login-module code="TisCallerIdentityLoginModule" flag="required">
              <module-option name="userName">web_user</module-option>
              <module-option name="password">web_user_pass</module-option>
              <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=jdbc/tcAimsIIDB</module-option>
              </login-module>

              </application-policy>


              public class TisCallerIdentityLoginModule extends CallerIdentityLoginModule
              {
              public void initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)
              {
              super.initialize(subject, handler, sharedState, options);
              }

              protected Principal getIdentity()
              {
              Principal principal = super.getIdentity();
              return principal;
              }

              protected Group[] getRoleSets() throws LoginException
              {
              Group[] groups = new Group[2];
              SimpleGroup rolesGroup = new SimpleGroup("Roles");
              rolesGroup.addMember(new SimplePrincipal("tisUser"));
              groups[0] = rolesGroup;
              SimpleGroup principlesGroup = new SimpleGroup("CallerPrincipal");
              groups[1] = principlesGroup;
              System.out.println("getRoleSets called");
              return (groups);
              }
              }


              Thanks
              Rodney

                • Actions