Ohh forgot: I'm using 4.0.2+jbas-1875-patch
There are tons of threads on this subject in the forum.
If you are doing you own JAAS login in your servlet code, you will need to make sure that ClientLoginModule is part of the JAAS configuration you are using ("domain" according to your code below) for the propagation to happen.
But you also need to realize that you will have to do the JAAS login at every requests if you write it by yourself.
It is much better to let the container do the authentication for you (using BASIC or FORM based authentication for your web app) as it will associate the security context with the HTTP session.
Thanks for the answer Tomas.
Well I tried to look it all up running google queries all over the place... hmm...
What I wanted was:
#2 call methods
so the natural way seemd to use the JAAS login when the user arrivs and logging him out once he goes.
The thing i wanted to implements was some soft-user-tracking.
so the user has no password and is idientified by his id (stored in a cookie) only. I know I have to watch out for buggy browser and XSS. But this is supposed to not be implemented on any *harmful* cases anyway.
Thanks for the answer I'll look into the BASIC and FORM base auth.
It whould be nice though if you could elaborate on that ClientLoginModule part a bit or hint me to a thread I did not find.
Basically, your servlet is a client to your EJBs.
With JBoss, if a client is doing an explicit JAAS login, the established security context is propagated to the backend EJBs only if you have the JBoss ClientLoginModule as part of your JAAS configuration.
I am assuming that you edited the login-config.xml fo JBoss to create your "domain" JAAS configuration.
This configuration needs to look like that:
...... //Any other login module that you might require.
The ClientLoginModule at the end of your JAAS module stack will basically make sure that the security context is propagated to backend EJBs.
In your scenario:
#2 call methods
If this is all one single HTTP request, then what you are doing is fine.
If the #2 must spawn multiple HTTP requests, it is definitely better to let the container (Tomcat/JBoss) do the authentication for you through BASIC or FORM based authentication.
That you Very much.
I'm writing a blog system (just for fun and learning).
So I'll have my dispatch servlet wich will do all requests. that need autorithation.
and care for login only in case the required actions need auth.
Btw: is there a way I can ship my login-config with my ear? or do I have to edit the one in server/default/config over and over?
Another question: though not completely JAAS related.
I have my setup of a User-Group-Role database schema with CMP EJB's...
now say I have 3 projects. I could a) extend them to include the 'domain' field. or put them into different tables. But Jboss doesn't allow me to have 2 ear's with the same Beans. :( So I must name them UserBean or something.
For the login config, take a look at http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig.
The JBossSX Wiki pages are actually a good JBoss security resource for documentation.
Not sure I understand the second question. I am not Entity bean expert but Iw ill be surprised that you can not use the same entity beans between two ears (but may you can't, I really do not know).
Thanks again Tomas. And sorry to bug you once more :/
well I now got the DynamicLoginConfig setup and my login-confix.xml too.
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <!-- Security domain for mog/moog/stub --> <application-policy name = "stub"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/mogDS</module-option> <module-option name = "principalsQuery">SELECT password FROM mooguser WHERE name=?</module-option> <module-option name = "rolesQuery">SELECT r.name, 'Roles' FROM moogrole r LEFT JOIN group_role gr ON r.id=gr.role_id LEFT JOIN mooggroup g ON gr.group_id=g.id LEFT JOIN user_group ug ON g.id=ug.group_id LEFT JOIN user_role ur ON r.id=ur.role_id LEFT JOIN mooguser u ON (ug.user_id=u.id OR ur.user_id=u.id) WHERE u.name = ?</module-option> </login-module> <login-module code = " org.jboss.security.ClientLoginModule" flag = "required"></login-module> </authentication> </application-policy> </policy>
And I know for sure it's loaded.
becase I can run lc.login from within my servlet and get a valid subject back.
now whenever I try to access a Bean I get:
[UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
so somehow it's not picking up my domain :( // the UserRolesLoginModule is the one that is in the server login-config.xml
WHEEEE! It worked!
wow. that was tough ;)
thanks a ton Tomas.
was my mistake a spelling error in the jboss.xml