1 2 Previous Next 17 Replies Latest reply on Apr 7, 2006 7:22 AM by darren hartford

    web-tier to intialcontext remote ejb3 call

    darren hartford Expert

      Hey all,
      I have a web application configured with web.xml <security-constraints> and jboss-web.xml that points to a 'testSecurity' realm. The webapp works fine, as expected, with requiring logins, roles, and using ClientLoginModule, etc.

      I have a secured, ejb3 running on a different server (happens to be pointing to the same configured realm, but shouldn't matter as long as principal/credentials fly). Also has ClientLoginModule configured. I can call my ejb3 remotely (even from the webapp server), and with different credentials get different behavior so it is working as expected:

       Properties env = new Properties();
       env.setProperty(Context.SECURITY_PRINCIPAL, "username");
       env.setProperty(Context.SECURITY_CREDENTIALS, "password");
       env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
       InitialContext ctx = new InitialContext(env);
      
      MyClass mc = (MyClass)ctx.lookup("MyClassBean/remote");
      
      


      However, when I copy this exact code to a JSF backing bean, it works. When I comment out principal and credentials to use the web-tier jaas principal/credentials this doesn't work. When I try using SecurityAssociation directly, principal and credentials are nulls.

      I've seen discussions about using a Tomcat Valve for a fix, requiring a Callbackhandler for a fix, something about the JAAS only working on the current thread and not the session and related workarounds, etc. Any recommendations for a 'clean' fix that shouldn't break on me later?

      jboss-4.0.4RC1 on both ejb3 and webapp servers.

      Thanks,
      -D


        • 2. Re: web-tier to intialcontext remote ejb3 call
          darren hartford Expert

          I found references to using the clientLoginModule in 'multi-threaded' mode, so added those configurations to the webapp jboss server:

          <login-module code="org.jboss.security.ClientLoginModule" flag="required">
           <module-option name="multi-threaded">true</module-option>
           <module-option name="password-stacking">useFirstPass</module-option>
          </login-module>
          


          I also enabled security debugging, and here is the error:

          11:26:00,012 ERROR [STDERR] java.lang.NullPointerException
          11:26:00,012 ERROR [STDERR] at org.jboss.security.jndi.JndiLoginInitialContextFactory.getInitialContext(JndiLoginInitialContextFacto
          ry.java:75)
          11:26:00,012 ERROR [STDERR] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          11:26:00,012 ERROR [STDERR] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
          11:26:00,012 ERROR [STDERR] at javax.naming.InitialContext.init(InitialContext.java:223)
          11:26:00,012 ERROR [STDERR] at javax.naming.InitialContext.<init>(InitialContext.java:197)
          11:26:00,012 ERROR [STDERR] at com.ghsinc.web.roleeditor.SessionBean01.getAuthorizationManager(Unknown Source)
          11:26:00,012 ERROR [STDERR] at com.ghsinc.web.roleeditor.GeneralBackingBean.<init>(Unknown Source)
          11:26:00,012 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          11:26:00,012 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
          11:26:00,012 ERROR [STDERR] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
          11:26:00,012 ERROR [STDERR] at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
          11:26:00,012 ERROR [STDERR] at java.lang.Class.newInstance0(Class.java:350)
          11:26:00,012 ERROR [STDERR] at java.lang.Class.newInstance(Class.java:303)
          11:26:00,012 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:204)
          11:26:00,012 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:48)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.config.ManagedBeanFactory.newInstance(ManagedBeanFactory.java:203)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.application.ApplicationAssociate.createAndMaybeStoreManagedBeans(ApplicationAssociate.j
          ava:256)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:78)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.el.impl.NamedValue.evaluate(NamedValue.java:125)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.el.impl.ComplexValue.evaluate(ComplexValue.java:146)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.el.impl.ExpressionEvaluatorImpl.evaluate(ExpressionEvaluatorImpl.java:243)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:173)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:154)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.application.ApplicationImpl.createComponent(ApplicationImpl.java:386)
          11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.createComponent(UIComponentTag.java:1009)
          11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.createChild(UIComponentTag.java:1036)
          11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.findComponent(UIComponentTag.java:749)
          11:26:00,012 ERROR [STDERR] at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:429)
          11:26:00,012 ERROR [STDERR] at com.sun.faces.taglib.html_basic.InputTextTag.doStartTag(InputTextTag.java:506)
          11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspx_meth_h_inputText_0(org.apache.jsp.main_jsp:251)
          11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspx_meth_h_form_0(org.apache.jsp.main_jsp:193)
          11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspx_meth_f_view_0(org.apache.jsp.main_jsp:145)
          11:26:00,012 ERROR [STDERR] at org.apache.jsp.main_jsp._jspService(org.apache.jsp.main_jsp:108)
          11:26:00,012 ERROR [STDERR] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
          11:26:00,012 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
          11:26:00,012 ERROR [STDERR] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
          11:26:00,012 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
          11:26:00,012 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
          11:26:00,012 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:463)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
          11:26:00,027 ERROR [STDERR] at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:322)
          11:26:00,027 ERROR [STDERR] at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:130)
          11:26:00,027 ERROR [STDERR] at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:87)
          11:26:00,027 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
          11:26:00,027 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:117)
          11:26:00,027 ERROR [STDERR] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:198)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:463)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
          11:26:00,027 ERROR [STDERR] at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:693)
          11:26:00,027 ERROR [STDERR] at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:660)
          11:26:00,027 ERROR [STDERR] at org.apache.jsp.index_jsp._jspService(org.apache.jsp.index_jsp:48)
          11:26:00,027 ERROR [STDERR] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
          11:26:00,027 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
          11:26:00,027 ERROR [STDERR] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
          11:26:00,027 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
          11:26:00,027 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
          11:26:00,027 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
          11:26:00,027 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
          11:26:00,027 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
          11:26:00,027 ERROR [STDERR] at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:54)
          11:26:00,043 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:174)
          11:26:00,043 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:514)
          11:26:00,043 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
          11:26:00,043 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
          11:26:00,043 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
          11:26:00,043 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
          11:26:00,043 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
          11:26:00,043 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
          11:26:00,043 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProto
          col.java:663)
          11:26:00,043 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
          11:26:00,043 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
          11:26:00,043 ERROR [STDERR] at java.lang.Thread.run(Thread.java:595)
          11:26:26,350 ERROR [STDERR] java.lang.NullPointerException
          11:26:26,350 ERROR [STDERR] at org.jboss.security.jndi.JndiLoginInitialContextFactory.getInitialContext(JndiLoginInitialContextFacto
          ry.java:75)
          11:26:26,350 ERROR [STDERR] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          11:26:26,350 ERROR [STDERR] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
          11:26:26,350 ERROR [STDERR] at javax.naming.InitialContext.init(InitialContext.java:223)
          11:26:26,350 ERROR [STDERR] at javax.naming.InitialContext.<init>(InitialContext.java:197)
          11:26:26,350 ERROR [STDERR] at com.ghsinc.web.roleeditor.SessionBean01.getAuthorizationManager(Unknown Source)
          11:26:26,350 ERROR [STDERR] at com.ghsinc.web.roleeditor.GeneralBackingBean.<init>(Unknown Source)
          11:26:26,350 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          11:26:26,350 ERROR [STDERR] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
          11:26:26,350 ERROR [STDERR] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
          11:26:26,350 ERROR [STDERR] at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
          11:26:26,350 ERROR [STDERR] at java.lang.Class.newInstance0(Class.java:350)
          11:26:26,350 ERROR [STDERR] at java.lang.Class.newInstance(Class.java:303)
          11:26:26,350 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:204)
          11:26:26,350 ERROR [STDERR] at java.beans.Beans.instantiate(Beans.java:48)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.config.ManagedBeanFactory.newInstance(ManagedBeanFactory.java:203)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.application.ApplicationAssociate.createAndMaybeStoreManagedBeans(ApplicationAssociate.j
          ava:256)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:78)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.el.impl.NamedValue.evaluate(NamedValue.java:125)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.el.impl.ComplexValue.setValue(ComplexValue.java:160)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.el.ValueBindingImpl.setValue(ValueBindingImpl.java:234)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.doPerComponentActions(RestoreViewPhase.java:196)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.doPerComponentActions(RestoreViewPhase.java:189)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.doPerComponentActions(RestoreViewPhase.java:189)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:175)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
          11:26:26,350 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
          11:26:26,350 ERROR [STDERR] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
          11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
          11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:54)
          11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:174)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:514)
          11:26:26,350 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
          11:26:26,350 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
          11:26:26,350 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
          11:26:26,350 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProto
          col.java:663)
          11:26:26,350 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
          11:26:26,350 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
          11:26:26,350 ERROR [STDERR] at java.lang.Thread.run(Thread.java:595)
          


          Even with the ClientLoginModule changes, the SecurityAssociation still returns nulls and the JndiInitialContext still does not work for making the remote ejb3 call when I have Principal/Credential properties commented out.

          • 3. Re: web-tier to intialcontext remote ejb3 call
            Scott Stark Master

            There is no principal in the InitialContextFactory environment properties under the Context.SECURITY_PRINCIPAL for this NPE to occur.

            • 4. Re: web-tier to intialcontext remote ejb3 call
              darren hartford Expert

               

              "scott.stark@jboss.org" wrote:
              There is no principal in the InitialContextFactory environment properties under the Context.SECURITY_PRINCIPAL for this NPE to occur.


              Well, yes, that's kind of my point for this thread. I want to use already logged-in credentials from the web-tier. As such, I don't want to manually pass credentials so I commented out the credentials:

              
               Properties env = new Properties();
               //env.setProperty(Context.SECURITY_PRINCIPAL, "username");
               // env.setProperty(Context.SECURITY_CREDENTIALS, "password");
               env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
               InitialContext ctx = new InitialContext(env);
              
              MyClass mc = (MyClass)ctx.lookup("MyClassBean/remote");
              
              



              If I tried to work around this be explicitly setting the environment properties using
              SecurityAssociation.getPrincial/getCredential
              both of those are null even though my webapp requires login and correctly behaves based on those logins. From the web/JSF standpoint, getExternalContext.getRemoteUser() works fine but the integration point (SecurityAssocation) does not. I'm using the ClientLoginModule, where I thought the intent was that by using the JndiLoginInitialContextFactory it would be passed-through.

              I've seen discussions about using a Tomcat Valve for a fix, requiring a Callbackhandler for a fix, something about the JAAS only working on the current thread and not the session and related workarounds, etc. Any recommendations for a 'clean' fix that shouldn't break on me later?

              jboss-4.0.4RC1 on both ejb3 and webapp servers.



              • 5. Re: web-tier to intialcontext remote ejb3 call
                Scott Stark Master

                If this is the tomcat embedded in jboss there should be no need to use the ClientLoginModule to pickup the web container login as there already is a SecurityAssociationValve in the configuration for this. It its not working its a bug in the ejb3 layer. If your not using the RC5 release, do so or check the outstanding jira issues.

                http://jira.jboss.com/jira/browse/EJBTHREE

                • 6. Re: web-tier to intialcontext remote ejb3 call
                  darren hartford Expert

                  When the SecurityAssocation on the webtier is NULL, this is an EJB problem?

                  • 7. Re: web-tier to intialcontext remote ejb3 call
                    darren hartford Expert

                    JSF Session Bean:

                     public void securityCheck(){
                     try {
                    
                    //This is null
                    System.out.println("Principal: " + SecurityAssociation.getPrincipal());
                    //This is null
                    System.out.println("Credential: " + SecurityAssociation.getCredential());
                    //This is correct for ALL use cases
                    System.out.println("Remote User: " + this.getContext().getExternalContext().getRemoteUser());
                    
                     Properties env = new Properties();
                     env.setProperty("java.naming.provider.url","jnp://10.0.0.135:1099");
                    //when I use my username/password manually, this works fine
                    // even when called in the JSF/Session bean. When commented
                    // out for JAAS use, this doesnt work.
                    //env.setProperty(Context.SECURITY_PRINCIPAL, manualusername);
                    //env.setProperty(Context.SECURITY_CREDENTIALS, manualpassword);
                    env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
                     InitialContext ctx = new InitialContext(env);
                     SecTest st = (SecTest )ctx.lookup("SecTestBean/remote");
                    
                    //make a secure EJB3 call
                    //Again, works with correct manual username/password.
                    //Behaves properly with incorrect manual username/password.
                    //fails completely when trying to use JAAS as SecurityAssociation is null
                    
                     System.out.println(aM.hello());
                     } catch(Exception e) {
                     e.printStackTrace();
                     }
                     }
                    


                    And, just for verification:

                    jboss-web.xml:
                    <jboss-web>
                     <security-domain>java:/jaas/testRealm</security-domain>
                    </jboss-web>
                    


                    web.xml
                    ....
                     <security-constraint>
                     <web-resource-collection>
                     <web-resource-name>Required Only</web-resource-name>
                     <description>Required Only</description>
                     <url-pattern>/*</url-pattern>
                     <http-method>POST</http-method>
                     <http-method>GET</http-method>
                     </web-resource-collection>
                     <auth-constraint>
                     <description>Define who can access this url-pattern</description>
                     <role-name>*</role-name>
                     </auth-constraint>
                    
                     <user-data-constraint>
                     <transport-guarantee>NONE</transport-guarantee>
                     </user-data-constraint>
                     </security-constraint>
                    
                     <login-config>
                     <auth-method>BASIC</auth-method>
                     <realm-name>Please log in</realm-name>
                     </login-config>
                    
                    <!-- this is a known and proven role in the JAAS modules for our test user -->
                     <security-role>
                     <role-name>developers</role-name>
                     </security-role>
                    


                    • 8. Re: web-tier to intialcontext remote ejb3 call
                      darren hartford Expert

                      correction to above post (trying to de-sensitize):
                      System.out.println(aM.hello());
                      should be

                      System.out.println(st.hello());

                      • 9. Re: web-tier to intialcontext remote ejb3 call
                        darren hartford Expert

                        and, yes, I'm using 4.0.4RC1 binary drop which, according to the notes, uses EJB3 RC5.

                        • 10. Re: web-tier to intialcontext remote ejb3 call
                          Scott Stark Master

                          The JndiLoginInitialContextFactory cannot be used if you want transparent propagation of the web container caller.

                          • 11. Re: web-tier to intialcontext remote ejb3 call
                            darren hartford Expert

                            Forgive my ignorance, but what is the recommended approach for transparent propagation of Security credentials from the web tier to a remote ejb3 call?

                            • 12. Re: web-tier to intialcontext remote ejb3 call
                              Scott Stark Master

                              To use the embedded tomcat configuration which include sthe SecurityAssocitionValve to do this. There is a mention of a lack of credentials in one post. If there is not security context (a web page that is not secured), there will be nothing to propagate.

                              • 13. Re: web-tier to intialcontext remote ejb3 call
                                darren hartford Expert

                                 

                                "scott.stark@jboss.org" wrote:
                                To use the embedded tomcat configuration which include sthe SecurityAssocitionValve to do this. There is a mention of a lack of credentials in one post. If there is not security context (a web page that is not secured), there will be nothing to propagate.


                                Did I find a bug then? I am using 4.0.4RC1 binary with the embedded tomcat and I am still having issues. You mentioned NOT using the JndiInitialContext, is this still true?

                                As for web page secured:

                                "dhartford" wrote:
                                web.xml
                                ....
                                 <security-constraint>
                                 <web-resource-collection>
                                 <web-resource-name>Required Only</web-resource-name>
                                 <description>Required Only</description>
                                 <url-pattern>/*</url-pattern>
                                 <http-method>POST</http-method>
                                 <http-method>GET</http-method>
                                 </web-resource-collection>
                                 <auth-constraint>
                                 <description>Define who can access this url-pattern</description>
                                 <role-name>*</role-name>
                                 </auth-constraint>
                                
                                 <user-data-constraint>
                                 <transport-guarantee>NONE</transport-guarantee>
                                 </user-data-constraint>
                                 </security-constraint>
                                
                                 <login-config>
                                 <auth-method>BASIC</auth-method>
                                 <realm-name>Please log in</realm-name>
                                 </login-config>
                                
                                <!-- this is a known and proven role in the JAAS modules for our test user -->
                                 <security-role>
                                 <role-name>developers</role-name>
                                 </security-role>
                                


                                • 14. Re: web-tier to intialcontext remote ejb3 call
                                  darren hartford Expert

                                  To more clearly restate the problem:
                                  * A EJB application server runs EJB beans with secured, RMI access. This is tested and works fine with client-side code. This client-side code works correctly remotely from the web application server.

                                  * A web application server runs a web application that is also secured. Logins work correctly, denying when not logging in correctly. The credential/principal is visible from externalcontext.getRemoteUser(). A initial context lookup of a remote EJB bean with manually specified principal/credentials works fine.

                                  I can not get the web application server, running jboss 4.0.4rc1 w/ embedded tomcat, to propagate the security principal/credentials from the web login (that are visible from externalcontext.getRemoteUser()) to a InitialContext lookup of a remote, secured EJB bean.

                                  1 2 Previous Next