[Security & JAAS/JBoss] - Credentials propagation to a remote jboss server
by tang_2001
Hello,
I'm trying to authenticate the accesses to a jboss-4.0.4 server through an EJB session facade with a unique "generic" user account.
This server is remotely acceded from a jboss-portal-2.4 server.
I used to authenticate this way from a simple tomcat5.0 server, but I can't succeed in doing the same from the jboss portal server.
Following is the description of my current configuration.
on jboss portal side:
--------------------
1- Added an SSOValve as described just like in page http://www.simongbrown.com/blog/2004/11/04/1099588633312.html
This valve does something like:
request.setUserPrincipal(new SSOPrincipal(request.getContext()
| .getRealm(), username, password, roles));
where SSOPrincipal extends org.apache.catalina.realm.GenericPrincipal
2- An extract of my jboss-web.xml file:
<security-domain>java:/jaas/client-login</security-domain>
This should help propagating my credentials to my session facade on a remote jboss server
on the remote jboss server side:
-------------------------------
I have the following settings that used to work when I had a simple tomcat server in the front side. Now I try to do the same with jboss portal in front, but the remote jboss server settings remain the same:
1- I defined in jboss-login file:
<application-policy name="gubpm">
| <authentication>
| <login-module
| code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag="required">
| <module-option name="usersProperties">
| props/gubpm-users.properties
| </module-option>
| <module-option name="rolesProperties">
| props/gubpm-roles.properties
| </module-option>
| </login-module>
| <login-module code="org.jboss.security.ClientLoginModule"
| flag="required">
| <!-- Any existing security context will be restored on logout -->
| <module-option name="restore-login-identity">
| true
| </module-option>
| </login-module>
| </authentication>
| </application-policy>
3- From jboss portal, I do a lookup of the remote facade:
Hashtable props = new Hashtable();
| props.put(Context.INITIAL_CONTEXT_FACTORY,
| "org.jnp.interfaces.NamingContextFactory");
| String providerUrl = Constants.PROVIDER_URL;
| props.put(Context.PROVIDER_URL, providerUrl);
|
| Object reference = (new InitialContext(props)).lookup("SessionFacade");
|
| SessionFacadeHome home = (SessionFacadeHome) PortableRemoteObject
| .narrow(reference, SessionFacadeHome.class);
|
| return home.create();
2- I also added the following line to my jboss.xml file:
<security-domain>java:/jaas/gubpm</security-domain>
3- My ejb is configured to authorize accesses to the methods to role 'Authenticated'
The result is that this fail on the lookup line:
Object reference = (new InitialContext(props)).lookup("SessionFacade");
with the following error:
Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
| at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
| at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
Of course I checked that the given username and password are the same that the remote jboss server expect to find in files props/gubpm-users.properties and props/gubpm-roles.properties. I cannot find what is wrong in my settings...
Please help!
Thanks,
Tanguy
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983834#3983834
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983834
19Â years, 6Â months
[Management, JMX/JBoss] - MBeanService + Standard MBeans = ???
by vitor_b
Hello
I'm using:
JBOSS: jboss-4.0.5.GA
java version: 1.4.2_12
system: Windows XP Home Edition
1. I've created one service: CFGLoaderService extending class ServiceMBeanSupport.
2. This service creates some of standard MBeans in method start_service() using method createMBean
3. Each standard MBean creates one important thing: object (type RuleBase - Drools library - but this is not the most important thing, i think)
4. This object is binding to JNDI.
At this stage of process we have:
- one service
- some standard MBeans
- each MBean have reference to object, and this object is bound with JNDI
In addition each standard MBean has method 'reload()' which creating new object, and this new object is bound with the old JNDI name. So using the same JNDI name client can locate new object.
ServiceMBean has metod 'reload()' too. This metod calls metod 'reload' from appropiate standard MBean using mbs.invoke() method (mbs MBeanServer).
Now unexpected (for me) result:
Service creates Standard MBeans.
Client locate object using JNDI and can find that object. But he cannot use this object becouse of some issues. (don't think about these issues now, look at the following description)
Now we can open JMX console (http://localhost:8080/jmx-console/) and from standard MBean invoke method 'reload'. After this move we can locate object via JNDI and use it. Everything works fine. Now we can from JMX console use service method 'reload', which calls method 'reload' from appropiate standard MBean. After this move we can locate object via JNDI and we cannot use it (issues). How is it possible??? Service method 'reaload' calls method 'reaload' from standard MBean which works fine when called from JMX console.
So from Service we cannot reload standard MBean. As i described at the begining after creating standard MBeans we cannot use them either. I think that happens due to the same reason for which 'reload' method from service doesn't work fine.
If you are interested i can send you my code.
Of course I don't have to tell you that you are my last chance to find a solution :).
Thanks in advance
vitor_b
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983833#3983833
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983833
19Â years, 6Â months
[Security & JAAS/JBoss] - Best practice question
by hanland
I am developing a client server app using JBoss and ejb3. I have a client based on eclipse and they work very nicely together. I was using an existing login mechanisim but decided to start using the new ejb3 security annotations etc. instead.
My question here is what is the best pratice with ejb3. I have set up a custom JAAS login handler module with a LoginContext connecting to my backend database which is fine. The problem I see though is that the logged in principal etc is not propagated to subsequent ejb access once a successful login has occurred. When I use the JNDI InitialContext method the login works fine, the principal is also propagated via the initialContext lookups.
What is the best approach here? Should I be mixing JNDI and JAAS but how do I propagate the principle etc.
Comments !!!!!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983831#3983831
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983831
19Â years, 6Â months