7 Replies Latest reply on May 1, 2003 9:18 AM by Adrian Brock

    Authentication Problem

    Nathaniel Auvil Newbie

      I use JMS to kick off a Message Driven Bean for my batch processing. I need to run the bean as the user which created the batch job. This makes the <run-as> useless as i need a specific user to be able to run the process, and users can be added to the system on the fly.

      I tried passing the user name and password through and creating a new InitialContext in the onMessage method of my MDB with those creditentials and lookup other EJB's using that InitialContext, but they still ran as 'nobody'.

      Why wouldn't that work? ANd how can i get a specific user authenticated by the container?

        • 1. Re: Authentication Problem
          Adrian Brock Master

          You need to do a login a JAAS login

          e.g.

          public void onMessage(Message message)
          {
          ...
          LoginContext context = new LoginContext("client-login", handler);
          context.login();
          try
          {
          // Do work
          }
          finally
          {
          context.logout();
          }
          ...
          }

          The handler is just a jaas callback handler

          e.g. you could use
          org.jboss.security.auth.callback.UsernamePasswordCallbackHandler;

          UsernamePasswordCallbackHander h = new UsernamePasswordCallbackHander(user, password.toCharArray())

          You could easily make this an interceptor and add
          it to your MDB.

          NOTE: This does no authentication. It just
          attaches the user and password to the thread.
          Any secured EJBs will authenticate and authorise
          the user/password.

          Regards,
          Adrian

          • 2. Re: Authentication Problem
            Nathaniel Auvil Newbie

            thanks for the reply. I tried that under JBoss 2.4.4 and it does not work. I see our LoginModule get invoked, but a call to getCallerPrincipal in the EJB returns 'nobody'

            We cant use a newer JBoss because of how slowly they compile JSPs on the fly.

            • 3. Re: Authentication Problem
              Adrian Brock Master

              AFAIK "client-login" wasn't configured on 2.4.4

              You can do the same thing as the JAAS login
              by using the SecurityAssociation class directly
              (this should help you to debug the JAAS config)

              Login:
              SecurityAssociation.setPrincipal(new SimplePrincipal(user));
              SecurityAssociation.setCredential(password);

              Logout:
              SecurityAssociation.clear();


              WEB-STUFF: I'm no expert but...
              Checkout 3.2, it has Jasper2 which is supposed
              to be a lot faster.

              Have you tried unpacked war deployments?
              With this method you only have to recompile
              the changed jsps as you change them not the
              whole application.

              Regards,
              Adrian

              • 4. Re: Authentication Problem
                Nathaniel Auvil Newbie

                'client-login' is in 2.4.4 and it appears to work. I was using my custom LoginModule name before.

                What is the difference though? Do subsequent calls use my custom LoginModule to authenticate that user name and password assigned to the Thread by client-login?

                • 5. Re: Authentication Problem
                  Adrian Brock Master

                  If your custom login module is on the called ejbs
                  then yes it will check the principal/credential
                  assigned to the thread by the "client-login".

                  Regards,
                  Adrian

                  • 6. Re: Authentication Problem
                    Nathaniel Auvil Newbie

                    thanks for your replies Adrian.

                    what is special about 'client-login'? Shouldn't a call to what i have configured in 'my-login' work the same way?

                    Well, now i am going to have to get this to work in Weblogic which is going to take some time due to all their 'value-add' garbage.

                    thanks again.

                    • 7. Re: Authentication Problem
                      Adrian Brock Master

                      The user and credential in the jndi context
                      is only used during the lookup.

                      Regards,
                      Adrian