[jboss-dev-forums] [Security Development] New message: "Keeping the state of Caller principal in JBoss AppServer when authenticating from standalone WebServer"

Eric Loh do-not-reply at jboss.com
Fri Mar 5 03:02:11 EST 2010 

JBoss development,

A new message was posted in the thread "Keeping the state of Caller principal in JBoss AppServer when authenticating from standalone WebServer":

http://community.jboss.org/message/530097#530097

Author  : Eric Loh
Profile : http://community.jboss.org/people/eric1lyk

Message:
--------------------------------------------------------------
Dear experts,
 
I have problems understanding how i can maintain the Authentication Principal in the JBoss Appserver for subsequent invokations of an EJB3 Stateless session bean from a standalone client.
 
I have EJB3 Stateless session beans deployed on JBoss 5.1.0 AS
 
 
My Client is deployed on a Apache Tomcat Webserver (version 6.0.20)
 
My Client (deployed on Tomcat Webserver) uses the following Login Config to do authentication.
 
*myapp-login {*
*    com.myapp.services.authentication.client.jaas.OasisLoginModule requisite debug="true"*
*    facadeJndiName="myApp/authentication"*
*    java.naming.factory.initial="org.jnp.interfaces.NamingContextFactory"*
*    java.naming.factory.url.pkgs="org.jboss.naming:org.jnp.interfaces"*
*    java.naming.provider.url="jnp://localhost:1099";*
*   * 
*    org.jboss.security.ClientLoginModule sufficient debug="true"*
*    multi-threaded="true";*
*};*
 
I realised that *org.jboss.security.ClientLoginModule is required so that the CallerPrincipal gets propagated from my Client to JBoss AppServer*
 
*org.jboss.security.ClientLoginModule sufficient debug="true"*
 
After I login, i created an InitialContext to lookup the EJB3 stateless session bean deployed in JBoss.
 
I try to test if the Stateless session bean can obtain the principal that i propagated frmo the Tomcat Webserver to JBoss AS
 
The first time i called, the context.getCallerPrincipal() was able to return the principal that i set inside the Callbackhandler.
 
*@Stateless*
*public class AuthenticationComponentFacadeBean extends AbstractComponentFacade<IAuthenticationComponentServiceLocator> implements IAuthenticationComponentFacade*
*{  * 
*    @Resource*
*    SessionContext context;*
*
*
*    @Override*
*    public char[] resetPassword(MyCredentials credential) throws AuthenticationException*
*    {*
*            if (context.getCallerPrincipal() != null)*
*            {*
*                 System.out.println("principal: " + context.getCallerPrincipal());*
*            }*
 
 
But, in subsequent invocations when i create the InitialContext again, I am getting NullPointerException
 
*15:16:50,538 INFO  [STDOUT] 2010-03-05 15:16:50,538 [ERROR] - [AuthenticationComponentFacadeBean] java.lang.NullPointerException*
*        at org.jboss.ejb3.security.helpers.EJBContextHelper.getCallerPrincipal(EJBContextHelper.java:99)*
 
i.e. The CallerPrincipal gets lost in subsequent invocations.
 
Can someone tell me how i can maintain the CallerPrincipal inside JBoss AppServer until i perform a logout operation to invalidate my session?
 
*What is the correct way to do it?*
*
*
*Should I invoke the ClientLoginModule at my Client on Tomcat Webserver everytime i lookup a stateless session bean so that it will keep the CallerPrincipal there?*
 
*Is there a way to keep the CallerPrincipal without invoking the ClientLoginModule everytime i do a lookup?*

--------------------------------------------------------------

To reply to this message visit the message page: http://community.jboss.org/message/530097#530097

More information about the jboss-dev-forums mailing list