6 Replies Latest reply on Oct 2, 2002 8:26 PM by Randahl Fink Isaksen

    How to log in from an MBean

    Randahl Fink Isaksen Novice

      Short version of this post: Please tell me how to log in from an MBean so I can get access to my secured EJBs.

      Longer version of this post:

      Since I would like to access my secured EJBs, I need to log in. So I have carried out a typical Jaas client login from within my MBean like this:

      LoginContext loginContext = new LoginContext(
      "myDomain",
      new ServerCallbackHandler("TestUser", new char[]{'1', '2', '3', '4'})
      );
      loginContext.login();

      This login has no effect, however, because I still get an EJBException when trying to access my EJBs.

      I find this strange, because I am certain that this code gets access to the "myDomain". I have no "other" domain specified and according to docs Jaas would then throw a LoginException if it could not find "myDomain". I also know that the credentials work for "myDoman" because I use those credentials from a Swing client which is capable of logging in and accessing the EJBs.

      The only problem I can think of is the fact that my Swing client is capable of logging in because I put a .java.login.config in my user dir. In my code, I guess I expect my MBean to be using that .java.login.config - there is no other (I have not deployed any similar settings along with my MBean)

      1. Has anyone got a clue why this does not work?
      2. Are there any alternative methods of logging in from an MBean? - Like calling some JBoss object directly instead of using JAAS, or some other way?


      Any help will be highly appreciated.

      Thanks
      Randahl

        • 1. Re: How to log in from an MBean
          Adrian Brock Master

          Are you sure you're login is on the same thread
          as the ejb access?

          For easier access look at org.jboss.security.SecurityAssociation it has
          a ThreadLocal for the security information.
          Yor Swing client probably uses the JVM wide
          configuration of this class.

          Depending on how the MBean is invoked, you might
          want to save the previous information and restore it
          after the EJB invocation?

          Regards,
          Adrian

          • 2. Re: How to log in from an MBean
            Randahl Fink Isaksen Novice

            Thanks, Adrian.

            I am absolutely sure I am logging in from the same thread as where I am accessing the EJBs from. From my MBean I have started 1 thread which does both the logging in and the EJB access (as this is premature code all of this even happens in the same method, the run() method).

            I will look into the Class you are mentioning.

            Thanks
            Randahl

            • 3. Re: How to log in from an MBean
              Randahl Fink Isaksen Novice

              A call to SecurityAssociation.getPrincipal() returns null both before and after the login… any ideas?


              Randahl

              • 4. Re: How to log in from an MBean
                Randahl Fink Isaksen Novice

                Problem solved! As written in earlier posts I tried to use my own JAAS login module configuration "myDomain" for the MBean login. This is NOT in accordance with page 276 of the JBossBook_30x (see below... "the only supported mechanism").

                Solution: I simply switched from "myDomain" to "client-login" when creating my LoginContext.

                However, I am curious why my original solution is not allowed by JBoss? is that a bug or a feature? - I must admit that the JBoss way works, so no problem there... still, why cannot I use my own login module configuration which carries out _real_ authentication rather than just setting the Principal (as the client-login module configuration does).

                Randahl




                Extract from JBossBook_30x:

                The ClientLoginModule is an implementation of LoginModule for use by JBoss clients for the estab-lishment of the caller identity and credentials. This simply sets the org.jboss.security.SecurityAssoci-ation.principal to the value of the NameCallback filled in by the CallbackHandler, and the org.jboss.security.SecurityAssociation.credential to the value of the PasswordCallback filled in by the CallbackHandler. This is the only supported mechanism for a client to establish the current thread's caller.

                • 5. Re: How to log in from an MBean
                  Adrian Brock Master

                  The ClientLoginModule does NO Authentication.
                  It is a device to associate the thread with the security
                  information.
                  The Authentication is done during the ejb invocation
                  using information established by the ClientLoginModule.

                  You can configure your own policy in login-config.xml
                  that has multiple login modules. This would allow you
                  to do real authentication up-front in the MBean.
                  Just make sure the ClientLoginModule is at the end of the
                  chain so that the thread is associated with the
                  principal/credential for later re-authentication by the
                  EJB.

                  Regards,
                  Adrian

                  • 6. Re: How to log in from an MBean
                    Randahl Fink Isaksen Novice

                    Thanks, Adrain. That is a really good idea - I will do that. I really would prefer having a full up front authentication rather than just setting the credentials - it is often better to choose fail-fast solutions.

                    However, instead of chaining modules, I guess I could just do the credential propagation and then invoke an EJB method to provoke authentication failure.

                    I need to try out these options.

                    Thanks again!

                    Randahl