[jboss-user] [Security] - Re: Caller unauthorized on using a ejb3 statetlesssessionbea
praenti
do-not-reply at jboss.com
Tue Oct 13 05:48:51 EDT 2009
Ok, back to the LoginFacade. I did some more testing and tried to use the code in a JDK5 and JBoss 4.2.3 environment. There I get also an access exception on the EJB3 bean. After putting some log.info statements into my JAAS login module I git following output:
| 11:34:59,091 INFO [SpiiderLoginModule] Groups for User: 1
| 11:34:59,106 INFO [SpiiderLoginModule] Principal: AdminUser
| 11:34:59,106 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions,
| principal=extern.michael.obster, requiredRoles=[RegularUser, AdminUser, interna
| l], principalRoles=null
|
What I see, the user has the role AdminUser, but when the access to the EJB3 is checked the principalRoles get lost. Has anyone an idea wgere this behaviour can come from.
Code-Snippets:
SpiiderLoginModule:
| ...
| protected Group[] getRoleSets() throws LoginException {
| if (userIdentifier == null)
| return getDefaultRoles();
|
| // add the useridentifier to the subject
| subject.getPublicCredentials().add(userIdentifier);
| String gid = userIdentifier.getGid();
| if (trace)
| log.info("getRoleSets using rolesQuery: " + rolesQuery
| + ", gid: " + gid);
| try {
| Group roleSets[] = Util.getRoleSets(gid, dsJndiName,
| rolesQuery, this, suspendResume);
|
| log.info("Groups for User: " + roleSets.length);
| for (Group role : roleSets) {
| log.info("Principal: " + role.getName());
| }
|
| if (roleSets.length == 0)
| return getDefaultRoles();
|
| return roleSets;
| } catch (FailedLoginException fe) {
| // this exception is thrown if the user is not found in the roles-link-table
| return getDefaultRoles();
| }
| }
| ...
|
LoginFacade:
| /**
| *
| */
| package vwg.audi.cancard.business;
|
| import javax.naming.AuthenticationException;
| import javax.security.auth.login.LoginContext;
| import javax.security.auth.login.LoginException;
|
| import org.apache.log4j.Logger;
| import org.jboss.security.auth.callback.UsernamePasswordHandler;
|
| import vwg.audi.cancard.JAASLoginException;
| import vwg.audi.cancard.ui.JAASConstants;
|
| /**
| * LoginFacade
| *
| * @author Michael Obster (nospam.michael.obster at epos-cat.de)
| */
| public class LoginFacade {
| private Logger log = Logger.getLogger(this.getClass());
|
| private LoginContext lc = null;
| private String loginContext = "";
| private String clientContext = "";
|
| public LoginFacade(String loginContext, String clientContext) {
| this.loginContext = loginContext;
| this.clientContext = clientContext;
| }
|
| /**
| * Real login, used by GUI.
| *
| * @param username
| * @param strPassword
| * @throws Exception
| */
| public void login(String username, String strPassword) throws Exception{
| char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
| UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
|
| lc = null;
| try {
| //Login for usercheck
| lc = new LoginContext(loginContext, handler);
| lc.login();
|
| } catch (Exception e) {
| Throwable t = e;
| while (t.getCause() != null) {
|
| if (t instanceof AuthenticationException) {
| break;
| }
| t = t.getCause();
| }
|
| //Analyse AuthenticationException
| if (t instanceof AuthenticationException) {
| AuthenticationException ex = (AuthenticationException)t;
| String emsg = ex.getExplanation();
| if (!hasValue(emsg)) {
| emsg = "";
| }
| String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
| if (emsg.indexOf("password expired") > 0) {
| errorhint = JAASConstants.PASSWORD_EXPIRED;
| } else if (emsg.indexOf("error code 49") > 0) {
| errorhint = JAASConstants.PASSWORD_INVALID;
| } else if (emsg.indexOf("error code 19") > 0) {
| errorhint = JAASConstants.USER_REVOKED;
| } else if (emsg.indexOf("error code 32") > 0) {
| errorhint = JAASConstants.USER_INVALID;
| }
| log.debug(username + " " + ex.getExplanation() + " hint: " + errorhint);
| throw new JAASLoginException(errorhint, ex);
|
| } else if (t instanceof LoginException) {
| LoginException ex = (LoginException)t;
| String emsg = ex.getMessage();
| if (!hasValue(emsg)) {
| emsg = "";
| }
| String errorhint = JAASConstants.USER_NOT_AUTHENTICATED;
| if (emsg.indexOf("Password Required") > 0) {
| errorhint = JAASConstants.PASSWORD_INVALID;
| }
| log.debug(username + " " + emsg + " " + errorhint);
| throw new JAASLoginException(errorhint, ex);
| } else {
| log.debug(username + " " + t.getMessage() + " " + JAASConstants.UNEXPECTED_ERROR);
| throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR, t);
| }
| }
| }
|
| /**
| * Background Login, set user and password from filter.
| */
| public void clientLogin(String username, String strPassword) throws JAASLoginException {
| char[] password = strPassword != null ? strPassword.toCharArray() : "".toCharArray() ;
| UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
| try {
| lc = new LoginContext(clientContext, handler);
| lc.login();
| } catch (LoginException e) {
|
| throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
| }
| }
|
| public void logout() throws JAASLoginException {
| if (lc == null)
| return;
|
| try {
| lc.logout();
| } catch (LoginException e) {
| log.error("JAAS-Logout failed!", e);
| throw new JAASLoginException(JAASConstants.UNEXPECTED_ERROR);
| }
| }
|
| /**
| * Helper function tests if Strings have a value.
| *
| * @param s - the String to test.
| * @return true or false
| */
| boolean hasValue(String s) {
| return s != null && s.trim().length() != 0 ? true : false;
| }
| }
|
And a filter which does following:
| /**
| *
| */
| package vwg.audi.cancard.cfg;
|
| import java.io.IOException;
| import java.util.ArrayList;
| import java.util.Enumeration;
|
| import javax.servlet.Filter;
| import javax.servlet.FilterChain;
| import javax.servlet.FilterConfig;
| import javax.servlet.ServletException;
| import javax.servlet.ServletRequest;
| import javax.servlet.ServletResponse;
| import javax.servlet.http.HttpServletRequest;
|
| import org.apache.log4j.Logger;
|
| import vwg.audi.cancard.JAASLoginException;
| import vwg.audi.cancard.business.LoginFacade;
| import vwg.audi.cancard.ui.JAASConstants;
|
| /**
| * JAASLoginFilter
| *
| */
| public class JAASLoginFilter implements Filter {
| private Logger log = Logger.getLogger(this.getClass());
|
| FilterConfig filterConfig;
|
| ArrayList<String> ignorePath;
|
| String loginDomain = "";
| String clientLoginDomain = "";
|
| @SuppressWarnings("unchecked")
| public void init(FilterConfig filterConfig) throws ServletException {
|
|
| this.filterConfig = filterConfig;
| ignorePath = new ArrayList<String>();
| Enumeration enumeration = filterConfig.getInitParameterNames();
| while (enumeration.hasMoreElements()) {
| String initParameterName = (String) enumeration.nextElement();
| ignorePath.add(filterConfig.getInitParameter(initParameterName));
| }
|
| loginDomain = filterConfig.getServletContext().getInitParameter("jaasLoginDomain");
| clientLoginDomain = filterConfig.getServletContext().getInitParameter("jaasClientLoginDomain");
| log.debug("init JAASFilter: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
| }
|
| public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
|
| if (req instanceof HttpServletRequest) {
| HttpServletRequest request = (HttpServletRequest) req;
| String servletPath = request.getServletPath();
| String pathInfo = request.getPathInfo();
| String path = (servletPath == null ? "" : servletPath)
| + (pathInfo == null ? "" : pathInfo);
| log.debug(path);
| log.debug("IM FILTER");
| LoginFacade loginFacade = new LoginFacade(loginDomain, clientLoginDomain);
|
|
| if (!ignorePath.contains(path)
| && !JAASConstants.USER_IS_VALID.equals(request
| .getSession().getAttribute(
| JAASConstants.USER_VALIDITY))) {
| log.info("requested path: " + path + " ignored: " + ignorePath.contains(path));
| throw new JAASLoginException();
| }
|
| //Perform client-login
| if (!ignorePath.contains(path)) {
| String username = (String)request.getSession().getAttribute(JAASConstants.USERNAME);
| String strPassword = (String)request.getSession().getAttribute(JAASConstants.PASSWORD);
|
| // Classic login by username and password
| loginFacade.clientLogin(username, strPassword);
|
| }
|
| chain.doFilter(req, res);
|
| loginFacade.logout();
| } else
| throw new JAASLoginException("Unsupported request");
|
| }
|
| public void destroy() {
|
| }
|
| }
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4260032#4260032
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4260032
More information about the jboss-user
mailing list