3 Replies Latest reply on Sep 5, 2008 6:49 AM by Alexander Degenstein

    After Login standalone client  -> getCallerPrincipal on JBos

    Alexander Degenstein Newbie

      Hi all,
      i have wrote a client side LoginModule which aquires a Kerberos Service Ticket and than "send it" to JBoss. This works with the SecurtiyAssociationActions (i have copied the class to the client...i know, its not very good...), the same way like the ClientLoginModule do this:

      SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);


      the loginCredential contains the kerberos Service Ticket. This is done by the KerberosClientLoginModule class.

      Then, on the servcer side i use the Service Ticket to authenticate the user (with win2k3 server exchange and Java GSS-API functions). This is done by the KerberosJBossLoginModule. It works fine. After thats done I use the IdentityRoleMappingLoginModule to obtain the roles from my database with help of the username. only the name of the user (the database don't contains information about the service ticket, but except for the username) is used for this.It works fine to. This Modlue depends on the DatabaseLoginModule and do following with the obtained (correct) username:

      sharedState.put("javax.security.auth.login.name",identity);

      But then i want to use the sessionContext.getCallerPrincipal in the ejb and i get an empty String. Furthermore is use the ClientLoginModule and third loginModule like following:

      <application-policy name="orga-security">
       <authentication>
       <login-module code="com.mgsoftech.orga.security.KerberosJBossLoginModule" flag="requisite">
       <module-option name="storeKey">true</module-option>
       <module-option name="isInitiator">false</module-option>
       <module-option name="krbRealm">myDomain</module-option>
       <module-option name="name">JBossUserName</module-option>
       <module-option name="password">JBossPW</module-option>
       <module-option name="kdcAddress">ipAddres</module-option>
       <module-option name="debug">true</module-option>
       </login-module>
       <login-module code="com.mgsoftech.orga.security.IdentityRoleMappingLoginModule"
       flag="required">
       <module-option name="password-stacking">
       useFirstPass
       </module-option>
       <module-option name="dsJndiName">
       workingDBName
       </module-option>
       <module-option name="rolesQuery"> workingRolesQuery
       </module-option>
       </login-module>
       <login-module code="org.jboss.security.ClientLoginModule" flag="required">
       <module-option name="password-stacking">
       useFirstPass
       </module-option>
       <module-option name="multi-threaded">
       true
       </module-option>
       </login-module>
       </authentication>
      </application-policy>


      but sessionContext.getCallerPrincipal don't work, although i use the clientLoginModule...:(
      do anybody know what i could do wrong?

        • 1. Re: After Login standalone client  -> getCallerPrincipal on
          Alexander Degenstein Newbie

          an additional trace which makes me a little bit confused:

          2008-09-04 20:25:38,531 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] Begin isValid, principal:, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@18d0ff8[Subject(33216582).principals=org.jboss.security.SimplePrincipal@1809155(correctPrincipal)org.jboss.security.SimpleGroup@6901622(Roles(correctRoles)),credential.class=java.lang.String@22591049,expirationTime=1220552959218]


          • 2. Re: After Login standalone client  -> getCallerPrincipal on
            Alexander Degenstein Newbie

            Here are more Traces which makes me confused:

            2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Security domain: orga-security
            2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Enabling multi-threaded mode
            2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Enabling restore-login-identity mode
            2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Enabling useFirstPass mode
            2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Begin login
            2008-09-05 10:07:45,406 TRACE [org.jboss.security.ClientLoginModule] commit, subject=Betreff:
             Principal: username
             Principal: Roles(members:admin,read)
            
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Betreff:
             Principal: username
             Principal: Roles(members:admin,read)
            , sc=org.jboss.security.SecurityAssociation$SubjectContext@ee6ba6{principal=username,subject=14519264}
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] defaultLogin, lc=javax.security.auth.login.LoginContext@10a3f5e, subject=Subject(14519264).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read))
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] updateCache, inputSubject=Subject(14519264).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read)), cacheSubject=Subject(29775540).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read))
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@666f6a[Subject(29775540).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read)),credential.class=java.lang.String@22591049,expirationTime=1220603840125]
             2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] End isValid, true
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Betreff:
             Principal: username
             Principal: Roles(members:admin,read)
            , sc=org.jboss.security.SecurityAssociation$SubjectContext@e11d0e{principal=,subject=20623813}
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@e11d0e{principal=,subject=20623813}
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] doesUserHaveRole(Set), subject: Betreff:
             Principal: username
             Principal: Roles(members:admin,read)
            
            2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] roles=Roles(members:admin,read)
            2008-09-05 10:07:45,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] hasRole(read)=true
            2008-09-05 10:07:45,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] hasRole=true
            2008-09-05 10:07:45,484 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=
             2008-09-05 10:07:45,484 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@8f11a6{principal=,subject=null}
            2008-09-05 10:07:45,562 DEBUG [org.hibernate.impl.SessionImpl] opened session at timestamp: 4999586060288000


            username = correct principal
            admin, read = correct roles

            I don't understand why at the most entrys, the correct username and roles a listed. I seems that they are commited by the ClientLoginModule. But in the last two trace logs, the principal and the subject are null...

            I still can't use the getCallerPrincipal() method get to work... :(...

            • 3. Re: After Login standalone client  -> getCallerPrincipal on
              Alexander Degenstein Newbie

              ok, i think i have fixed it...
              on the client login module i have used the SecurityAssociationAction (like in tht ClientLoginModule) like this:


              loginPrincipal = new SimplePrincipal("");
              SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);


              And than it's clear, that i get a "" for
              getCallerPrincipal().getName()

              Know i use it like this:

              loginPrincipal = new SimplePrincipal(myCorrectPrincipal);
              SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);


              and it works :)