[jboss-user] [Security & JAAS/JBoss] - Re: Can't get access right from Java Client

jaikiran do-not-reply at jboss.com
Mon Oct 16 08:41:21 EDT 2006


Thank you for being patient.

  | StandaloneClient				SecurityInterceptorOnServer			SecureResource
  | 	|						|						|
  | 	|						|						|
  | 	|1) doJAASlogin()				|						|
  | 	|						|						|
  | 	|2) invokeSecureResource()			|						|
  | 	|---------------------------------------------->|						|
  | 	|					   	|						|
  | 	|					   	|						|
  | 	|					   	|3)doJAASloginOnServer()			|
  | 	|					   	|						|
  | 	|					   	|4)if valid/authorized, let access		|
  | 	|					   	|---------------------------------------------->|
  | 	|					   	|	
  | 
  | 

The diagram above is just a simplified view of the entities involved, please do not go by the names.

Lets assume the following:
-------------------------
1) Only user(lets talk in terms of users instead of roles, for simplicity) "abc123" is allowed to access the secure resource
2) You are using ClientLoginModule at the standalone client programatically and UsersRolesLoginModule at the server(specified in jboss.xml) for securing the resource.


Here's the flow of what happens:

- The StandaloneClient invokes the doJAASlogin method using username "xyz"(invalid user) which uses ClientLoginModule to *populate the security info*.
- The doJAASlogin internally invokes the LoginContext's login method and this call to login succeeds even though the user is invalid. This is because you are using ClientLoginModule which does no authentication.
- After login, the StandAloneClient tries to access a secure resource on the server. It passes the security info which was created using the ClientLoginModule. This security info includes the username "xyz"(invalid user)
- At this point the Security interceptor(or whatever you call this entity) on the server comes into picture, since the resource is a secure one.
- The SecurityInterceptorOnServer will look at the jboss.xml to check the security domain to be used for authenticating the user request. In our case we have mentioned it as UsersRolesLoginModule (in our assumption #2).
- The SecurityInterceptorOnServer internally kicks off the authentication of the user request passing it the security info which was passed on by the StandAloneClient(this info includes the invalid username).
- During this process the UsersRolesLoginModule's login method is invoked. The UsersRolesLoginModule uses the username "xyz" and tries to login. But since this is not a valid user(remember as per assumption #1, valid username is "abc123"), the login fails and a SecurityException is thrown.
- Hence access to secure resource fails at this point.

This is how the flow works while accessing a secure resource.

I have tried my best to explain the flow to you. However, if you still have doubts about this, do let us know. Someone, if not me, will be able to help you out.



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3978507#3978507

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3978507



More information about the jboss-user mailing list