3 Replies Latest reply on Sep 5, 2008 6:49 AM by nofreak

After Login standalone client -> getCallerPrincipal on JBos

nofreak Sep 4, 2008 2:48 PM

Hi all,
i have wrote a client side LoginModule which aquires a Kerberos Service Ticket and than "send it" to JBoss. This works with the SecurtiyAssociationActions (i have copied the class to the client...i know, its not very good...), the same way like the ClientLoginModule do this:

SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);

the loginCredential contains the kerberos Service Ticket. This is done by the KerberosClientLoginModule class.

Then, on the servcer side i use the Service Ticket to authenticate the user (with win2k3 server exchange and Java GSS-API functions). This is done by the KerberosJBossLoginModule. It works fine. After thats done I use the IdentityRoleMappingLoginModule to obtain the roles from my database with help of the username. only the name of the user (the database don't contains information about the service ticket, but except for the username) is used for this.It works fine to. This Modlue depends on the DatabaseLoginModule and do following with the obtained (correct) username:

sharedState.put("javax.security.auth.login.name",identity);

But then i want to use the sessionContext.getCallerPrincipal in the ejb and i get an empty String. Furthermore is use the ClientLoginModule and third loginModule like following:

<application-policy name="orga-security">
 <authentication>
 <login-module code="com.mgsoftech.orga.security.KerberosJBossLoginModule" flag="requisite">
 <module-option name="storeKey">true</module-option>
 <module-option name="isInitiator">false</module-option>
 <module-option name="krbRealm">myDomain</module-option>
 <module-option name="name">JBossUserName</module-option>
 <module-option name="password">JBossPW</module-option>
 <module-option name="kdcAddress">ipAddres</module-option>
 <module-option name="debug">true</module-option>
 </login-module>
 <login-module code="com.mgsoftech.orga.security.IdentityRoleMappingLoginModule"
 flag="required">
 <module-option name="password-stacking">
 useFirstPass
 </module-option>
 <module-option name="dsJndiName">
 workingDBName
 </module-option>
 <module-option name="rolesQuery"> workingRolesQuery
 </module-option>
 </login-module>
 <login-module code="org.jboss.security.ClientLoginModule" flag="required">
 <module-option name="password-stacking">
 useFirstPass
 </module-option>
 <module-option name="multi-threaded">
 true
 </module-option>
 </login-module>
 </authentication>
</application-policy>

but sessionContext.getCallerPrincipal don't work, although i use the clientLoginModule...:(
do anybody know what i could do wrong?

1. Re: After Login standalone client -> getCallerPrincipal on

nofreak Sep 4, 2008 3:08 PM (in response to nofreak)

an additional trace which makes me a little bit confused:

2008-09-04 20:25:38,531 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] Begin isValid, principal:, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@18d0ff8[Subject(33216582).principals=org.jboss.security.SimplePrincipal@1809155(correctPrincipal)org.jboss.security.SimpleGroup@6901622(Roles(correctRoles)),credential.class=java.lang.String@22591049,expirationTime=1220552959218]

2. Re: After Login standalone client -> getCallerPrincipal on

nofreak Sep 5, 2008 4:28 AM (in response to nofreak)

Here are more Traces which makes me confused:

2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Security domain: orga-security
2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Enabling multi-threaded mode
2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Enabling restore-login-identity mode
2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Enabling useFirstPass mode
2008-09-05 10:07:44,984 TRACE [org.jboss.security.ClientLoginModule] Begin login
2008-09-05 10:07:45,406 TRACE [org.jboss.security.ClientLoginModule] commit, subject=Betreff:
 Principal: username
 Principal: Roles(members:admin,read)

2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Betreff:
 Principal: username
 Principal: Roles(members:admin,read)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@ee6ba6{principal=username,subject=14519264}
2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] defaultLogin, lc=javax.security.auth.login.LoginContext@10a3f5e, subject=Subject(14519264).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read))
2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] updateCache, inputSubject=Subject(14519264).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read)), cacheSubject=Subject(29775540).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read))
2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@666f6a[Subject(29775540).principals=org.jboss.security.SimplePrincipal@30812805(username)org.jboss.security.SimpleGroup@6401464(Roles(members:admin,read)),credential.class=java.lang.String@22591049,expirationTime=1220603840125]
 2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] End isValid, true
2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Betreff:
 Principal: username
 Principal: Roles(members:admin,read)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@e11d0e{principal=,subject=20623813}
2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=
2008-09-05 10:07:45,421 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@e11d0e{principal=,subject=20623813}
2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] doesUserHaveRole(Set), subject: Betreff:
 Principal: username
 Principal: Roles(members:admin,read)

2008-09-05 10:07:45,421 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] roles=Roles(members:admin,read)
2008-09-05 10:07:45,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] hasRole(read)=true
2008-09-05 10:07:45,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.orga-security] hasRole=true
2008-09-05 10:07:45,484 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=
 2008-09-05 10:07:45,484 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@8f11a6{principal=,subject=null}
2008-09-05 10:07:45,562 DEBUG [org.hibernate.impl.SessionImpl] opened session at timestamp: 4999586060288000

username = correct principal
admin, read = correct roles

I don't understand why at the most entrys, the correct username and roles a listed. I seems that they are commited by the ClientLoginModule. But in the last two trace logs, the principal and the subject are null...

I still can't use the getCallerPrincipal() method get to work... :(...

3. Re: After Login standalone client -> getCallerPrincipal on

nofreak Sep 5, 2008 6:49 AM (in response to nofreak)
ok, i think i have fixed it...
on the client login module i have used the SecurityAssociationAction (like in tht ClientLoginModule) like this:

loginPrincipal = new SimplePrincipal(""); SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);

And than it's clear, that i get a "" for
getCallerPrincipal().getName()

Know i use it like this:

loginPrincipal = new SimplePrincipal(myCorrectPrincipal); SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);

and it works :)
Actions

Go to original post