5 Replies Latest reply on Jul 3, 2006 11:36 AM by chris griffith

    Login module which accesses an EJB?

    Thorsten Klusemann Newbie

      I have a database with user and roles tables and a set of Session EJB's to access this data. Now I am thinking about writing a JAAS login module that calls an authenticate(user,passwd) on the UserServiceEJB. Is this a good design or should I prefer using the database login module, which directly asks the database for authentication?

        • 1. Re: Login module which accesses an EJB?
          chris griffith Expert

          Klusi,

          I have a login module which does this as well. Is it good design? I am not sure. One very imporant point to note (as you will see if you search this forum) is that you can't secure the EJB that has authenticate(user,passwd) method using the same application-policy (i.e. security-domain). There would an circular login problem. Also, consider how you plan to authenticate the login module as a user of the EJB.

          enjoy, cgriffith

          • 2. Re: Login module which accesses an EJB?
            Anil Saldanha Master

            It is better to use the Database LM because it does the job for you while managing the subject population with roles.

            • 3. Re: Login module which accesses an EJB?
              Nigel White Newbie

              Further to this, I'm having a problem which is very strange.

              I'm not sure into which of the seperate jar/war files to put my security classes.

              I'm using JAAS, and I have a sar file which contains meta-inf/jboss-service.xml:

              <?xml version='1.0'?>
              <!DOCTYPE policy PUBLIC
               "-//JBoss//DTD MBean Service 4.0//EN"
               "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
              <server>
               <!-- The custom JAAS login configuration that installs
               a Configuration capable of dynamically updating the
               config settings
               -->
               <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
               name="jboss.security.tests:service=LoginConfig">
               <attribute name="PolicyConfig" serialDataType="jbxb">
               <jaas:policy
               xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
               xmlns:jaas="urn:jboss:security-config:4.1"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              
               <!-- Our Greenfields login config -->
               <jaas:application-policy name="Greenfields">
               <jaas:authentication>
               <jaas:login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required">
               <jaas:module-option name="unauthenticatedIdentity">Anonymous</jaas:module-option>
               <jaas:module-option name="principalClass">com.fcl.security.GreenfieldsUser</jaas:module-option>
               <jaas:module-option name="ignorePasswordCase">true</jaas:module-option>
               </jaas:login-module>
               </jaas:authentication>
               </jaas:application-policy>
               </jaas:policy>
               </attribute>
               <depends optional-attribute-name="LoginConfigService">
               jboss.security:service=XMLLoginConfig
               </depends>
               <depends optional-attribute-name="SecurityManagerService">
               jboss.security:service=JaasSecurityManager
               </depends>
               </mbean>
              </server>


              I put my com.fcl.security.GreenfieldsLoginModule,com.fcl.security.LoginUtils (utility functions used by the login process) and com.fcl.security.GreenfieldsUser (The Principal class) into the WAR file (because it's the web app that does the JAAS authentication), but then I get

              [c]dejava.lang.LinkageError: loader constraints violated when linking com/fcl/security/GreenfieldsUser class when invoking my EJBs.

              I put com.fcl.security.GreenfieldsUser into my EJB jar file too.

              basically, my EAR is build like this... here's my application.xml:

              <?xml version="1.0" encoding="UTF-8"?>
              <application
               xmlns="http://java.sun.com/xml/ns/j2ee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.4"
               xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/application_1_4.xsd">
               <display-name>GreenFields</display-name>
               <module>
               <java id="greenfield.jar">greenfield.jar</java>
               </module>
               <module>
               <ejb id="persistence.jar">persistence.jar</ejb>
               </module>
               <module>
               <ejb id="ejbs.jar">ejbs.jar</ejb>
               </module>
               <module>
               <java id="GreenfieldsLogin.sar">GreenfieldsLogin.sar</java>
               </module>
               <module>
               <web>
               <web-uri>webapp.war</web-uri>
               <context-root>gfFw</context-root>
               </web>
               </module>
              </application>


              • 4. Re: Login module which accesses an EJB?
                Nigel White Newbie

                Now, I just put com.fcl.security.GreenfieldsLoginModule into my WAR file.

                All other classes from the com.fcl.security package are in greenfield.jar, just another java module listed in application.xml.

                But in my LoginModule, I now get this:

                10:09:25,718 ERROR [fcl] tried to access method com.fcl.security.LoginUtils.login(Ljava/lang/String;[BLjava/lang/Long;)Lcom/fcl/secu
                rity/GreenfieldsUser; from class com.fcl.security.GreenfieldsLoginModule
                java.lang.IllegalAccessError: tried to access method com.fcl.security.LoginUtils.login(Ljava/lang/String;[BLjava/lang/Long;)Lcom/fcl
                /security/GreenfieldsUser; from class com.fcl.security.GreenfieldsLoginModule
                 at com.fcl.security.GreenfieldsLoginModule.login(GreenfieldsLoginModule.java:116)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                 at java.security.AccessController.doPrivileged(Native Method)
                 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
                 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
                 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
                 at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306)
                 at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
                 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
                 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
                 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
                 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                 at java.lang.Thread.run(Thread.java:595)


                I have a terrible problem here. I cannot get our app to work. I'm feeling the project is going to get cancelled and I'll be fired.

                Why is it this DIFICULT? What do I have to do just to get login to work?

                • 5. Re: Login module which accesses an EJB?
                  chris griffith Expert

                  First off, start a new thread as this is not related to the threads subject.

                  Second, do not put

                  <module>
                   <java id="GreenfieldsLogin.sar">GreenfieldsLogin.sar</java>
                  </module>
                  

                  in application.xml. Java 2 E E spec. knows nothing of JBoss sars. You need to set that in jboss-app.xml.

                  Finally, do not complain to us that you are going to get fired if you do not get help. We are only here to help voluntarily, and you should not depend on us to get your job done.

                  Happy to help otherwise, cgriffith