5 Replies Latest reply on Oct 31, 2005 5:24 PM by James Bond

    Form Authentication

    James Bond Newbie

      I would like to start by stating that im a beginer in Jaas security, I have read Mr. Stark's Howto and implemented the example with no problem using <auth-method>BASIC</auth-method> however when I have changed the login-config to <auth-method>FORM</auth-method> the Echo (EchoUser) role is no longer propagating to the echo method in PublicSession ejb.

      here is my code:

      web.xml

      ...
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Restricted</web-resource-name>
       <description>Declarative security tests</description>
       <url-pattern>/restricted/*</url-pattern>
       <http-method>HEAD</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Echo</role-name>
       </auth-constraint>
       <user-data-constraint>
       <description>no description</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      
       <security-role>
       <description>A user allowed to invoke echo methods</description>
       <role-name>Echo</role-name>
       </security-role>
      ...
      


      ejb-jar.xml
       <enterprise-beans>
       <session>
       <description>A trival stateless session echo bean</description>
       <ejb-name>PublicSession</ejb-name>
       <home>org.jboss.docs.jaas.howto.SessionHome</home>
       <remote>org.jboss.docs.jaas.howto.Session</remote>
       <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class>
       <session-type>Stateless</session-type>
       <transaction-type>Container</transaction-type>
       <ejb-ref>
       <ejb-ref-name>ejb/PrivateSession</ejb-ref-name>
       <ejb-ref-type>Session</ejb-ref-type>
       <home>org.jboss.docs.jaas.howto.SessionHome</home>
       <remote>org.jboss.docs.jaas.howto.Session</remote>
       <ejb-link>PrivateSession</ejb-link>
       </ejb-ref>
       <security-role-ref>
       <role-name>EchoUser</role-name>
       <role-link>Echo</role-link>
       </security-role-ref>
       <security-identity>
       <run-as>
       <role-name>InternalUser</role-name>
       </run-as>
       </security-identity>
       </session>
      


      the problem is that in the EJBServlet.java request.isUserInRole("EchoUser") returns false instead of true but when authentication is Basic it returns true

      here is a slice of the error stack:

      11:57:56,082 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo
      ], principalRoles=[]
      11:57:56,082 ERROR [LogInterceptor] EJBException in method: public abstract java.lang.String org.jboss.docs.jaas.howto.Session.echo(java.lan
      g.String) throws java.rmi.RemoteException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo], principal
      Roles=[]


      How can I fix this problem, Please advise?





        • 1. Re: Form Authentication
          Wiley Snyder Newbie

          I'm not an expert here either but are your users.properties and roles.properties files in the /default/conf directory ? And is EchoUser in them ?

          • 2. Re: Form Authentication
            James Bond Newbie

            The example code is still the same, users.properties and roles.properties files are placed into the ssbean1.jar as defined in build.xml and the EchoUser is defined in the ejb-jar.xml:

            security-role-ref >> role-name is EchoUser role-link is Echo

            this works with Basic Authentication, it does not work with Form authentication. whether I use jaas-example1 (UsersRolesLoginModule) using property files or I use jaas-example2 (DatabaseServerLoginModule) database, same result.

            Help is kindly appreciated.

            • 3. Re: Form Authentication
              Wiley Snyder Newbie

              Right but now your using form authentication....

              There is no EchoUser using BASIC authentication ...

              now you have to put them in the /default/conf directory for FORM authentication to work correctly ...

              • 4. Re: Form Authentication
                Wiley Snyder Newbie

                oops I meant ...

                there is no EchoUser using FORM authentication ....

                • 5. Re: Form Authentication
                  James Bond Newbie

                  Hi again,

                  I have changed default\conf users.properties and roles.properties as advised, I have also verified that it matches the jaas_howto\conf (jaas_howto is new Server Name). They are listed below :

                  users.properties


                  # The username to password mapping properties file
                  java=echoman
                  duke=javaman



                  # The username to role(s) mapping properties file
                  java=Echo
                  duke=Java,Coder
                  java.CallerPrincipal=caller_java
                  duke.CallerPrincipal=caller_duke


                  I am still getting the same error message in console, below:


                  17:04:25,896 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo
                  ], principalRoles=[]
                  17:04:25,906 ERROR [LogInterceptor] EJBException in method: public abstract java.lang.String org.jboss.docs.jaas.howto.Session.echo(java.lan
                  g.String) throws java.rmi.RemoteException, causedBy:
                  java.lang.SecurityException: Insufficient method permissions, principal=null, method=echo, interface=REMOTE, requiredRoles=[Echo], principal
                  Roles=[]
                  at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)


                  here is my simple login form:
                  <form name="myForm" method="post" action="j_security_check">
                  <table width="100%" border="0" cellspacing="1">
                   <tr>
                   <td colspan="2"><h2 align="center">Login Page</h2></td>
                   </tr>
                   <tr>
                   <td width="17%"> User Name:</td>
                   <td width="83%"> <input type='text' name='j_username'></td>
                   </tr>
                   <tr>
                   <td> Password:</td>
                   <td> <input type='password' name='j_password'></td>
                   </tr>
                   <tr>
                   <td> </td>
                   <td><input type='submit' value='login' alt="log in" ></td>
                   </tr>
                  </table>
                  </form>
                  


                  I have even changed <role-name> to match <role-link> in ejb-jar.xml:
                   <session>
                   <description>A trival stateless session echo bean</description>
                   <ejb-name>PublicSession</ejb-name>
                   <home>org.jboss.docs.jaas.howto.SessionHome</home>
                   <remote>org.jboss.docs.jaas.howto.Session</remote>
                   <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class>
                   <session-type>Stateless</session-type>
                   <transaction-type>Container</transaction-type>
                   <ejb-ref>
                   <ejb-ref-name>ejb/PrivateSession</ejb-ref-name>
                   <ejb-ref-type>Session</ejb-ref-type>
                   <home>org.jboss.docs.jaas.howto.SessionHome</home>
                   <remote>org.jboss.docs.jaas.howto.Session</remote>
                   <ejb-link>PrivateSession</ejb-link>
                   </ejb-ref>
                   <security-role-ref>
                   <role-name>Echo</role-name><!--EchoUser -->
                   <role-link>Echo</role-link>
                   </security-role-ref>
                   <security-identity>
                   <run-as>
                   <role-name>InternalUser</role-name>
                   </run-as>
                   </security-identity>
                   </session>
                  


                  the callEcho method in EJBServlet.java is not propagating to the PublicSessionBean echo method. still even though method permission in ejb-jar.xml allows the Echo Role:

                   <method-permission>
                   <role-name>Echo</role-name>
                   <method>
                   <ejb-name>PublicSession</ejb-name>
                   <method-name>*</method-name>
                   </method>
                   </method-permission>
                  


                  also the login-config.xml is unchanged and it is located in the Server Name: jaas_howto.



                  Help is kindly appreciated.