5 Replies Latest reply on Sep 17, 2005 7:38 AM by jaikiran pai

    standalone EJB client and JASS

    Stefan Siarzewski Newbie

      Hello,

      I'm developing a simple standalone EJB client. I was trying to set up security using JASS, but I encountered some problems with authorization. I tried using DatabaseServerLoginModule, but it seems it is not able to acces the DataSource in the application server.
      So my question is - is there a simple way to perform authorization from a standalone client, or do I have to create my own version of DatabaseServerLoginModule which connects to a database directly ?

      I would be very grateful, if someone could give me a hint on this.
      Martin.

        • 1. Re: standalone EJB client and JASS
          jaikiran pai Master

          Hi,
          You can use the "client-login" LoginModule for the JAAS login. As you mention, that this is a standalone client accessing an ejb, you would require a file(say myLogin.conf) containing the login modules as follows:

          client-login{
           org.jboss.security.ClientLoginModule required;
           };
          
           other{
           org.jboss.security.auth.spi.UsersRolesLoginModule required;
           };


          In your code, you will do a JAAS login as follows:


          final String authFile = "myLogin.conf";
           System.setProperty("java.security.auth.login.config", authFile);
           //System.setProperty("java.security.auth.login.config","jaas.crm");
           MyCallbackHandler handler = new MyCallbackHandler(userName,password);
           LoginContext lc = new LoginContext("client-login",handler);
           lc.login();


          You would require a callback handler which will verify the username and password:

          public class MyCallbackHandler implements CallbackHandler {
          
           /**
           * Username which will be set in the NameCallback, when NameCallback is handled
           */
           private String username;
          
           /**
           * Password which will be set in the PasswordCallback, when PasswordCallback is handled
           */
           private String password;
          
           /**
           * Constructor
           * @param username The username
           * @param password The password
           */
           public MyCallbackHandler(String username, String password) {
           this.username = username;
           this.password = password;
           }
          
           /**
           * @param callbacks Instances of Callback<i>s</i>
           * @throws IOException IOException
           * @throws UnsupportedCallbackException If Callback is other than NameCallback or PasswordCallback
           */
           public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
          
           for (int i = 0; i < callbacks.length; i++) {
           if (callbacks instanceof NameCallback) {
           //if the Callback is for NameCallback, then set the name of the NameCallback to 'userName'
           NameCallback nc = (NameCallback) callbacks;
           nc.setName(username);
          
           } else if (callbacks instanceof PasswordCallback) {
           //if the Callback is for PasswordCallback, then set the name of the PasswordCallback to 'password'
           PasswordCallback pc = (PasswordCallback) callbacks;
           pc.setPassword(password.toCharArray());
          
           } else {
           //if Callback is NOT NameCallback or PasswordCallback then throw UnsupportedCallbackException
           throw new UnsupportedCallbackException(callbacks, "Unrecognized Callback");
           }
           }
           }
           }




          • 2. Re: standalone EJB client and JASS
            Stefan Siarzewski Newbie

            Hello,

            Thanks jaikiran for your help, but the solution you posted is not what I was looking for. I was using similiar code in my app (ClientLoginModule etc.) and also tested yours, but the authentication seems to work every time, whatever the login/pass values are. If the login information is not valid there is an Authentication failure exception, but only after I try to access EJB methods. I would rather that the exception occured after:

            lc.login();
            


            Is there an easy way to accomplish that ?


            I'm using DynamicLoginConfig with DatabaseServerLoginModule on the server

            ehelp-login-service.xml
             <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
             name="ehelp:service=DynamicLoginConfig">
             <attribute name="AuthConfig">ehelp-login-config.xml</attribute>
             <depends optional-attribute-name="LoginConfigService">
             jboss.security:service=XMLLoginConfig
             </depends>
             <depends optional-attribute-name="SecurityManagerService">
             jboss.security:service=JaasSecurityManager
             </depends>
             </mbean>
            


            ehelp-login-config.xml
            <policy>
             <application-policy name="ehelp">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag="required">
             <module-option name="unauthenticatedIdentity">VIEWER</module-option>
             <module-option name="dsJndiName">java:/PostgresDS</module-option>
             <module-option name="principalsQuery">
             select hashedpassword from EMPLOYEES where login=?
             </module-option>
             <module-option name="rolesQuery">
             select privelages, 'Roles' from EMPLOYEES where login=?
             </module-option>
             <module-option name="hashAlgorithm">MD5</module-option>
             <module-option name="hashEncoding">BASE64</module-option>
             </login-module>
             </authentication>
             </application-policy>
            </policy>
            


            Thanks in advance...
            Martin.

            • 3. Re: standalone EJB client and JASS
              jaikiran pai Master

              Ya, you are right, that code wont be working for the requirement you are mentioning.

              "wats" wrote:
              I tried using DatabaseServerLoginModule, but it seems it is not able to acces the DataSource in the application server.


              Whats the exact problem you are facing while using DatabaseServerLoginModule. Can you post relevant extracts from your jaas login code?

              • 4. Re: standalone EJB client and JASS
                Stefan Siarzewski Newbie

                When I try to use DatabaseServerLoginModule defined in the following local myLogin.conf file

                ehelp {
                org.jboss.security.auth.spi.DatabaseServerLoginModule required
                dsJndiName="java:/PostgresDS"
                principalsQuery="select hashedpassword from EMPLOYEES where login=?"
                rolesQuery="select privelages, 'Roles' from EMPLOYEES where login=?"
                unauthenticatedIdentity=VIEWER
                hashAlgorithm=MD5
                hashEncoding=BASE64
                ;
                }
                


                the following exception occurs when executing "lc.login();"

                javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: PostgresDS not bound
                


                Now, I'm not sure whether it is allowed to access JCA DataSource outside of the application server at all...

                Martin.

                • 5. Re: standalone EJB client and JASS
                  jaikiran pai Master

                  Datasources are not available outside the virtual machine