4 Replies Latest reply on Mar 22, 2006 11:47 AM by Andrew May

    Confused by Client login

    Andrew May Newbie

      Hi, I'm having problems with authentication for a remote EJB client.

      As I understand it, my client should use the ClientLoginModule to collect username/password, and then the server should be configured to use a login module that will read the username/password passed from the client.

      I believe that everything is working on the client end, as after login a Subject has been created with a Principal named for my username, and SecurityAssociation.getPrincipal() and SecurityAssocation.getCredential() have been set (which is what I expect from poking around in the ClientLoginModule code).

      On the server end, my custom login module is being called. This passes a NameCallback to the provided CallbackHandler, but the name does not get set to the username I provided at the client end.

      I guess my expectation is that the CallbackHandler provided by the container would have the principal and credential from the client passed by whatever mechanism JBoss uses.

      Attaching a debugger, the CallbackHandler appears to be a SecurityAssociationHandler (wrapped by a SecureCallbackHandler), which should set the name of a NameCallback to the name of the Principal the SecurityAssociationHandler is initialised. However, both the Principal and the Credential are null, so nothing appears to have been propergated from the client.

      This is part of the client code. Does it need to be doing something different?

       CallbackHandler handler = new MyCallbackHandler(username, password);
       LoginContext loginContext = new LoginContext("other", handler);
       loginContext.login();
       Subject subject = loginContext.getSubject();
       // the subject has a principal where name=username as expected
       Hashtable<String, String> props = new Hashtable<String, String>();
       props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
       props.put(Context.PROVIDER_URL, "localhost:1099");
       Context ctx = new InitialContext(props);
       IdentityController controller = (IdentityController)ctx.lookup("IdentityControllerBean/remote");
       ...
      


      This is using the other login configuration in client/auth.conf, which just contains the ClientLoginModule.

      On the server end, I am using a custom login module that extends AbstractServerLoginModule. This is configured in login-config.xml
       <application-policy name="identity">
       <authentication>
       <login-module code="com.ingenta.ics.client.SessionLoginModule" flag="required"></login-module>
       </authentication>
       </application-policy>
      


      I only made my login module extend the JBoss one because I wasn't sure if this was necessary to get the client details to propergate, but that made no difference.

      This is with JBoss 4.0.4RC1, and it's calling an EJB3 bean. I can't see any issues in JIRA for EJB3 that would cause this.

      Thanks in advance for your help, this is my first taste of JAAS, and it's giving me headaches.

      -Andrew

        • 1. Re: Confused by Client login
          Anil Saldanha Master

          http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ
          Item 4: Enable trace level logging on the serverside and see the log for information.

          • 2. Re: Confused by Client login
            Andrew May Newbie

            This is what I see in the log:

            2006-03-22 09:10:21,009 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
            2006-03-22 09:10:21,015 TRACE [org.jboss.security.plugins.JaasSecurityManager.identity] Begin isValid, principal:null, cache info: null
            2006-03-22 09:10:21,015 TRACE [org.jboss.security.plugins.JaasSecurityManager.identity] defaultLogin, principal=null
            2006-03-22 09:10:21,015 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(identity), size=9
            2006-03-22 09:10:21,015 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(identity), authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: com.ingenta.ics.client.SessionLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:


            Then there's some println's from my custom login module, confirming that the NameCallback I provided to the CallbackHandler did not have it's name set.

            I don't see anything in this output that explains what is happening, apart from confirming that there doesn't appear to be a principal propergated to the server.

            • 3. Re: Confused by Client login
              Anil Saldanha Master

              Item 2 and 3 of the security FAQ. Try enabling logging on the client side.

              • 4. Re: Confused by Client login
                Andrew May Newbie

                When I turned on client logging as you suggested it became clear that I was doing something unbelivably stupid in my client - logging out in my factory class before any of the business methods were called.

                Thanks for the suggestion - I'd pretty much given up.