2 Replies Latest reply on Jun 24, 2008 11:21 AM by Timo Roessner

    Simple Auth for HelloWorld-Example not working...

    Timo Roessner Newbie

      Hey folks,

      since my first tries with JAAS and Jboss failed with a complex application, i made a simple HelloWorld application to exclude all possible errors.

      My application is really simple:

      RMI-client:

       public static void main(String[] args) throws NamingException, RemoteException {
      
       Hashtable<String, String> props = new Hashtable<String, String>();
       props.put(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory");
       props.put(Context.PROVIDER_URL,"jnp://sdoesmon:1099");
       Context ctx = new InitialContext(props);
       ISayHello iSayHello = (ISayHello) ctx.lookup("SayHello/SayHello/remote");
       System.out.println("Sending command....");
       String result = iSayHello.sayHello();
       System.out.println("result: " + result);
       }
      


      My EJB:

      @Stateless
      @Remote
      public class SayHello implements ISayHello {
      
       public String sayHello() {
       return "Yippie! There i am!";
       }
      }


      This works like a charm and my client tells me:

      Sending command....
      result: Yippie! There i am!


      Now i wanted to add JAAS-authentification, so:

      * I added the following lines to my client:

       props.put(Context.SECURITY_PRINCIPAL, "admin");
       props.put(Context.SECURITY_CREDENTIALS, "foo");
      


      * I added the file users.properties to the directory META-INF of my ejb-subproject:

      admin=foo


      * I added the file roles.properties to the directory META-INF of my ejb-subproject:

      admin=SayHelloRole


      * I added the file ejb-jar.xml to the directory META-INF of my ejb-subproject:

      <ejb-jar>
       <enterprise-beans>
       <session>
       <ejb-name>SayHello</ejb-name>
       <security-role-ref>
       <role-name>SayHelloRole</role-name>
       <role-link>SayHelloRole</role-link>
       </security-role-ref>
       </session>
       </enterprise-beans>
       <assembly-descriptor>
       <security-role>
       <description>foo</description>
       <role-name>SayHelloRole</role-name>
       </security-role>
       <method-permission>
       <role-name>SayHelloRole</role-name>
       <method>
       <ejb-name>SayHello</ejb-name>
       <method-name>*</method-name>
       </method>
       </method-permission>
       </assembly-descriptor>
      </ejb-jar>
      
      


      * I added the file jboss.xml to the directory META-INF of my project ROOT:

      <jboss>
       <security-domain>java:/jaas/SayHello</security-domain>
       <enterprise-beans>
       <session>
       <ejb-name>SayHello</ejb-name>
       <jndi-name>SayHello</jndi-name>
       </session>
       </enterprise-beans>
      </jboss>
      


      So far, so good.....

      Finally, i added this to the login-config.xml:

      <application-policy name = "SayHello">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
       <module-option
       name="usersProperties">
       META-INF/users.properties
       </module-option>
       <module-option
       name="rolesProperties">
       META-INF/roles.properties
       </module-option>
       </login-module>
       </authentication>
      </application-policy>
      
      


      I hoped this would work, but of course it doesn't, i can connect to my EJB with whatever user i want.

      Even if i give the wrong password / user, my client still says:

      Sending command....
      result: Yippie! There i am!


      Jesus Christ! I don't even know where to start looking for the reason for this behaviour......

      I would really appreciate it if somebody could give me a hint what is going wrong here......

      What could i do to narrow down what my application is missing?

        • 1. Re: Simple Auth for HelloWorld-Example not working...
          Timo Roessner Newbie

          Ok,

          i found the solution:

          First of all for a single ejb.jar:

          I had used the wrong INITIAL_CONTEXT_FACTORY, so now the corresponding line in my client looks like this:

          props.put(Context.INITIAL_CONTEXT_FACTORY,"org.jboss.security.jndi.JndiLoginInitialContextFactory");


          Furthermore we have to adjust the jndi-adress since now we want to talk to a jar-application and not to a full-fledged ear-application:

          ISayHello iSayHello = (ISayHello) ctx.lookup("SayHello/remote");


          jar-Modifications:

          - The sourcecode stays the same.
          - pack the users.properties, roles.properties and the ejb-jar.xml under the jar's META-INF
          - create the file jboss.xml under the jar's META-INF:

          <jboss>
           <security-domain>java:/jaas/SayHello</security-domain>
          </jboss>


          That's it!

          I will update this section when i have figured out how to do the same for an EAR....

          • 2. Re: Simple Auth for HelloWorld-Example not working...
            Timo Roessner Newbie

            Hey folks,

            my final remark how to achieve the same as above for an EAR:

            == Securing access to the EJB-application ==

            * Create the file users.properties under /$PROJECT-ROOT/META-INF:

            admin=secretadminpassword
             user=secretuserpassword


            * Create the file roles.properties under /$PROJECT-ROOT/META-INF:

             admin=adminRole
             user=userRole


            * Add the following annotations to your beans:

            @RolesAllowed("adminRole")
             public class SendCommandBean implements ISendCommandRemote, ISendCommandLocal {
            
             @RolesAllowed("adminRole")
             public String sendCommand(myArgs...) {


            * Add the file jboss.xml to the ejb-subproject under the directory /META-INF

            <jboss>
             <security-domain>java:/jaas/myDomain</security-domain>
             </jboss>
            


            * Adjust the file login-config.xml under the directory $JBOSS_HOME/server/$PROFILE/conf/

            <application-policy name = "myDomain">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
             <module-option
             name="usersProperties">
             META-INF/users.properties
             </module-option>
             <module-option
             name="rolesProperties">
             META-INF/roles.properties
             </module-option>
             </login-module>
             </authentication>
             </application-policy>