2 Replies Latest reply on Nov 4, 2008 9:21 AM by Christian Roth

    @SecurityDomain, Principal resolution

    Christian Roth Newbie

      I have configured a security domain using the @SecurityDomain ("esvRealm") annotation on a bean; in the login-config.xml file I have added an app policy with the same name:

      <application-policy name = "esvRealm">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
      <module-option name="usersProperties">esv-users.properties</module-option>
      <module-option name="rolesProperties">esv-roles.properties</module-option>
      <module-option name="unauthenticatedIdentity">esv_anonymous</module-option>
      <module-option name="restore-login-identity">true</module-option>


      when i make remote calls to the bean the principal cannot be extracted from the ejb context; the principal name is always set to esv_anonymous as defined in the policy (which shows me that the poicy somehow is recognized but cannot resolve the user ..); in the (standalone remote java) client I'm setting the following properties:

      env.setProperty( Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory" );
      env.setProperty( Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory" );
      env.setProperty( Context.PROVIDER_URL, "jnp://localhost:1099/" );
      env.setProperty( Context.SECURITY_AUTHENTICATION, "simple" );
      env.setProperty( Context.SECURITY_PRINCIPAL, user );
      env.setProperty( Context.SECURITY_CREDENTIALS, password );

      any help is appreciated :-)
      regards, christian

        • 1. Re: @SecurityDomain, Principal resolution
          Wolfgang Knauf Master

          Hi Christian,

          try to enable logging for the security layer, maybe there is some internal error about the properties file not retrieved:
          (question 4)

          Up to now, I never used a "JndiLoginInitialContextFactory", but a "NamingContextFactory" and an explicit programmatic login. According to the doc at http://www.jboss.org/community/docs/DOC-11206, "This is useful in context where a JAAS login is not desired", so it sounds like it does not work in your case.

          My client code looks like this:

          Properties props = new Properties();
           props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
           props.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.naming.client");
           props.setProperty(Context.PROVIDER_URL, "jnp://localhost:1099");
           props.setProperty("j2ee.clientName", ...);
           InitialContext initialContext = new InitialContext(props);
           AppCallbackHandler callbackHandler = new AppCallbackHandler(user, password.toCharArray() );
           LoginContext loginContext = new LoginContext ("logincontextname", callbackHandler);

          For this to work, I have to add a file "auth.conf" to my project (in "META-INF" of the app client). The first line is also the parameter to "LoginContext ":
          logincontextname {
           // jBoss LoginModule
           org.jboss.security.ClientLoginModule required

          Hope this helps


          • 2. Re: @SecurityDomain, Principal resolution
            Christian Roth Newbie

            thx - works perfectly :-)
            regards, christian