[jboss-user] [Security & JAAS/JBoss] - Re: Programmatic Authentication in JBoss?

knignick do-not-reply at jboss.com
Wed Mar 14 11:09:45 EDT 2007 

Hi, gurus.
My question is about authentication data propagation from servlet to EJB.
We use one security domain for our application based on custom LoginModule.
The only security config in our web.xml is

  |     <security-constraint>
  |       <web-resource-collection>
  |          <web-resource-name>
  |             The Protected Calculator
  |          </web-resource-name>
  |          <url-pattern>*.jsf</url-pattern>
  |       </web-resource-collection>
  | 
  |       <user-data-constraint>
  |          <transport-guarantee>NONE</transport-guarantee>
  |       </user-data-constraint>
  |    </security-constraint>
  | 
It seemed it doesn't matter cause we don't use any Tomcat provided ways of servlet authentication (cause our login logic is more complex). 
So in one JSF action method I interact with LoginContext directly:

  |     public String login() {
  |         String outcome = Constants.FAILED;
  |         try {
  |             IdmCallbackHandler callbackHandler = new IdmCallbackHandler(getLoginName(), getPassword(), getAccountId());
  |             loginContext = new LoginContext(AuthenticationBean.SECURITY_REALM, callbackHandler);
  |             loginContext.login();
  |             Subject subject = loginContext.getSubject(); 
  |              getFacesContext().getExternalContext().getSessionMap().put(Constants.SUBJECT_SESSION_KEY, subject);
  | 
  |             for(Principal p : subject.getPrincipals()) {
  |                 if (p instanceof IdmPrincipal) {
  |                     setCurrentUserAccount( new UserAccount( ((IdmPrincipal)p).getAccount() ) );
  |                     break;
  |                 }
  |             }
  | 
login() passes successfully and subject is valid
The problem occurs inside setCurrentUserAccount() when local stateless session bean method (marked with @PermitAll) is called:
18:05:21,943 ERROR [AuthenticationBean] Exception: 
javax.ejb.EJBAccessException: Authentication failure
	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:70)
	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:211)
	at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:79)
	at $Proxy4155.getPermissions(Unknown Source)
	at com.image.idm.jsf.beans.UserAccount.loadPermissions(UserAccount.java:51)
	at com.image.idm.jsf.beans.UserAccount.setAccount(UserAccount.java:47)
	at com.image.idm.jsf.beans.UserAccount.(UserAccount.java:36)
	at com.image.idm.jsf.beans.AuthenticationBean.login(AuthenticationBean.java:140)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at com.sun.el.parser.AstValue.invoke(AstValue.java:151)
	at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283)
	at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
	at com.sun.facelets.el.LegacyMethodBinding.invoke(LegacyMethodBinding.java:69)
	at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:63)
	at javax.faces.component.UICommand.broadcast(UICommand.java:106)
	at org.ajax4jsf.framework.ajax.AjaxViewRoot.processEvents(AjaxViewRoot.java:281)
	at org.ajax4jsf.framework.ajax.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:257)
	at org.ajax4jsf.framework.ajax.AjaxViewRoot.processApplication(AjaxViewRoot.java:412)
	at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:343)
	at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
Caused by: com.image.idm.jaas.IdmLoginException
	at com.image.idm.jaas.IdmLoginModule.login(IdmLoginModule.java:110)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
	at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
	at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:211)
	at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:79)
	at $Proxy4155.getPermissions(Unknown Source)
	at com.image.idm.jsf.beans.UserAccount.loadPermissions(UserAccount.java:51)
	at com.image.idm.jsf.beans.UserAccount.setAccount(UserAccount.java:47)
	at com.image.idm.jsf.beans.UserAccount.(UserAccount.java:36)
	at com.image.idm.jsf.beans.AuthenticationBean.login(AuthenticationBean.java:140)


 It seemed that during EJB method invokation our LoginModule is called again. Is it really needed or it is a wrong behaviour? 
Is it possible to make EJB container "undestand" that authentication is done and take authentication info? 
Both jboss.xml and jboss-web.xml are configured to the same security domain.
JBOSS version is 4.0.5 GA.

If you know the decision or at least the root of the problem - please let me know

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4027967#4027967

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4027967

More information about the jboss-user mailing list