[jboss-user] [JCA/JBoss] - Passing current user identity to the back-end database
sztank
do-not-reply at jboss.com
Thu Jul 12 14:02:28 EDT 2007
Hi,
I'm developing an application with the following requirement:
All users have a database accounts and the application level authorization should be used also with the database. So I need to pass through the current user identity to the back-end database.
I'm using Jboss as 4.0.5 and Jboss Seam 1.2.1. The project I start with is generated with seam-gen utility. I get some directions on the Seam forum that this should be possible with proper configuration of the JCA datasource.
According to the informations I founded on wiki and docs I trying to use CallerIdentityLoginModule in the following way:
I added policy to the login-config.xml file
| <application-policy name = "testdbRealm">
| <authentication>
| <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
| <module-option name = "userName">dumy</module-option>
| <module-option name = "password">dumy_pwd</module-option>
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
datasource config file dbtest-ds.xml:
| <datasources>
| <local-tx-datasource>
| <jndi-name>dbtestDatasource</jndi-name>
| <connection-url>jdbc:postgresql:dbtest</connection-url>
| <driver-class>org.postgresql.Driver</driver-class>
| <security-domain>testdbRealm</security-domain>
| </local-tx-datasource>
| </datasources>
|
web.xml file:
| <security-constraint>
| <display-name>Restrict raw XHTML Documents</display-name>
| <web-resource-collection>
| <web-resource-name>XHTML</web-resource-name>
| <url-pattern>*.xhtml</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| </web-resource-collection>
| <auth-constraint>
| <role-name>admin</role-name>
| </auth-constraint>
| </security-constraint>
| <login-config>
| <auth-method>BASIC</auth-method>
| <realm-name>testdbRealm</realm-name>
| </login-config>
| <security-role>
| <role-name>admin</role-name>
| </security-role>
|
And according to the Seam doc I set the jaas-config-name property in the components.xml file:
| <security:identity authenticate-method="#{authenticator.authenticate}"
| jaas-config-name="testdbRealm"/>
|
Now I have the following behavior:
The application deploys and works, the *.xhtml pages are displayed but application is not asking for authorization. The database connection is set with the default user and pwd provided in the login-config.xml file (dumy, dumy_pwd).
When I try to remove the default user and pwd from the login-config.xml file:
| <application-policy name = "testdbRealm">
| <authentication>
| <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
then I have errors during deployment because the database connection can't be created (I'm not sure why - think that hibernate try to open the database during the deployment to do its mapping job). I see in server logs that CallerIdentityLoginModule is used.
I stick on this problem and don't know how finish seting up things to enforce the behavior I write about on the beginning. Do I have to call CallerIdentityLoginModule directly from my application?
I'm trying to resolve this issue for quite a long time. I'm not the JBoss and J2EE specialist (yet) (I'm the one who believed that building application's with JBoss + Seam combo is simple and trying to follow) so I appreciate any help and explanations how this mechanism works very much.
Best Regards
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4063654#4063654
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4063654
More information about the jboss-user
mailing list