4 Replies Latest reply on Feb 8, 2005 10:49 AM by Said Lakhloufi

    principal=null for JMS invoked call, have a valid principal

    John Vandale Newbie

      My application is protected with a UsersRolesLoginModule in a sec domain specified in my jboss.xml and jboss-web.xml. When I run the app I am properly forms-based challenged, authenticated and on my merry way.

      Until, I do anything that involves JBoss invoking my JMS queue listener. At this point my listener class tries to create the home interface of a bean that is specified in my method-permission in the descriptor as being protected by this security domain. JBoss throws:

      Authentication exception, principal=null

      I tried to get around this by putting the following in my listener right before the call that is causing this to be thrown. I implemented MyCallbackHandler of course:

      LoginContext lc = null;
      Subject subj = null;
      String foo = null;

      try
      {
      CallbackHandler ch = new MyCallbackHandler();
      lc = new LoginContext("java:/jaas/mySecDomain",ch);
      lc.login();
      subj = lc.getSubject();
      foo = subj.toString();
      }
      catch (LoginException le)
      {
      le.printStackTrace();
      }

      return myBeanNameHome.create();

      The line return myBeanNameHome.create(); throws the exception. The lc.login returns successfully and the Subject obtained is properly populated with the roles that it could only get via going through the UsersRolesLoginModule in mySecDomain.

      Yet even though this JAAS principal is established here right before this call when it tries to invoke this call to create the home interface it fails with principal = null.

      What am I missing?

      John

        • 1. Re: principal=null for JMS invoked call, have a valid princi
          Slava Shelestyuk Newbie

          i got the same thing when trying to init my TimedObjects:
          CallbackHandler handler = new UsernamePasswordHandler( "admin", "password".toCharArray() );
          LoginContext lc = new LoginContext( "my_domain", handler );
          lc.login();
          Subject subject = lc.getSubject();
          String result = (String) Subject.doAs( subject, new PrivilegedAction()
          {
          public Object run()
          {
          String result = "done";

          try
          {
          Context jndiContext = new InitialContext();
          Object ref = jndiContext.lookup( "TestJobRemoteHome" );
          TestJobRemoteHome home = (TestJobRemoteHome) PortableRemoteObject.narrow( ref, TestJobRemoteHome.class );
          TestJobRemote remote = home.create();
          remote.scheduleJob();
          }
          catch( Exception e )
          {
          e.printStackTrace();
          result = "bust";
          }

          return result;
          }
          } );

          i'm using my own login module and it's being called 2 times here:
          1st on lc.login();
          this moment it works fine and gets password and roles set
          (in fact the module works fine all the way when i'm using it for authenticated by "j_security_check" submits,
          but i need some kind of authentication on behalf of "System", not a logged in User).

          2nd on home.create();
          this moment i took a look at
          public void initialize( Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options )
          which is being called again and saw that:
          org.jboss.security.auth.callback.SecurityAssociationHandler
          with principal=null, so it's failed.

          my thought there shouldn't be 2nd check as far as we perform doAs with a authenticated already subject.

          i have no idea what the problem is, i have just met it, i'll be investigating this tomorrow,
          please let me know if you already figured it out.

          • 2. Re: principal=null for JMS invoked call, have a valid princi
            Scott Stark Master

            Read the JAAS Howto posting in this forum as it describes how the security context is propagated. A Subject.doAs does not affect the propagated security context. The preceeding JAAS login need to include the org.jboss.security.ClientLoginModule.

            • 3. Re: principal=null for JMS invoked call, have a valid princi
              Slava Shelestyuk Newbie

              yeah, i got the idea, it's like a 2-phase authentication where ClientLoginModule "does not perform client-side authentication, but simply binds the username and password to the JBoss EJB invocation layer for later authentication on the server".

              2 johnv: skipping the details the only thing i did to make it work - i changed 1 code line as follows:
              LoginContext lc = new LoginContext( "client-login", handler );
              i also removed "doAs"-call which i added just for testing, it works both ways.

              good luck.

              • 4. Re: principal=null for JMS invoked call, have a valid princi
                Said Lakhloufi Newbie

                I have the some problem. The IsUserInRole always returns false.

                try {
                SecurityAssociationHandler handler = new SecurityAssociationHandler();
                Principal user = new SimplePrincipal(userName);
                handler.setSecurityInfo(user, password.toCharArray());
                LoginContext loginContext = new LoginContext("MyRealm",
                (CallbackHandler) handler);
                loginContext.login();
                subject = loginContext.getSubject();
                Set principals = subject.getPrincipals();
                principals.add(user);
                } catch (LoginException e) {
                System.out.println("Error LoginException: " + e);
                }

                if (request.isUserInRole("Admin")) {
                System.out
                .println("User with role admin is forwarded to admin page");
                return mapping.findForward("Admin");
                } else if (request.isUserInRole("ViewBills")) {
                System.out
                .println("User with role ViewBills is forwarded to ViewBills page");
                return mapping.findForward("ViewBills");
                } else {
                System.out
                .println("User has no role. He needs to be forwarded to login page");
                return mapping.findForward("failure");
                }

                }