[jboss-user] [JBoss Seam] - Seam EJB3 authorization
desanocra
do-not-reply at jboss.com
Sun Dec 30 19:22:52 EST 2007
i have a application with java webstart frontend which uses security restriction with @RolesAlowed annotation. Now i want to add a seam frontend. My Problem is that i can login but cant call any restricted EJB methods.
The Application stores the user passwords encrypted. This is the reason why the Java-Swing-Webstart Frontend store uses this piece of code to login:
| public LoginContext createLoginContext(final String inUsername, char[] inPassword, Subject inSubject) {
| try {
| mIsAdmin = false;
| mUsername=inUsername;
| mPassword= new char[inPassword.length];
| System.arraycopy(inPassword, 0, mPassword, 0, inPassword.length);
| mLoginContext = new LoginContext("myrealm", inSubject, new CallbackHandler(){
|
| public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
| for(int i = 0; i < callbacks.length; i++) {
| if (callbacks instanceof NameCallback) {
| NameCallback nameCallback = (NameCallback)callbacks;
| nameCallback.setName(inUsername);
| } else if (callbacks instanceof PasswordCallback) {
| PasswordCallback pwCallback = (PasswordCallback)callbacks;
| String aEncPwd = SecurityUtils.getCryptedPwd(mUsername, mPassword);
| for(int j=0; j < mPassword.length; j++) {
| mPassword[j] = ' ';
| }
| pwCallback.setPassword(aEncPwd.toCharArray());
| } else throw new UnsupportedCallbackException(callbacks);
| }
| }
| }
| );
| } catch (LoginException e) {
| getLogger().log(LogLevel.ERROR, CommonResources.getMsg("auth.LoginModule.login.context.creation.failed"), e);
| return null;
| }
| return mLoginContext;
| }
|
| public User getUser(final String inUsername) {
| try {
| String aAuthCtrlRemote = CommonResources.getBeanJndiNames().getString("controller.authentication");
| getLogger().log(LogLevel.DEBUG, "Using AuthenticationController Bean: {0}", aAuthCtrlRemote);
| AuthenticationController aBean = (AuthenticationController) CommonFactory.getInitialContext().lookup(aAuthCtrlRemote);
| if(inUsername != null) {
| try {
| User aUser = aBean.qryUser(inUsername);
| return aUser;
| }catch(javax.ejb.EJBAccessException e) {
| getLogger().log(LogLevel.ERROR, "Error: {0}", e);
| }
| }
| } catch (Exception e) {
| getLogger().log(LogLevel.ERROR, "Error: {0}", e);
| }
| return null;
| }
|
| public boolean login(final String inUsername, char[] inPassword) {
| if(mLoginContext != null) {
| logout();
| }
| LoginContext aLoginContext = createLoginContext(inUsername, inPassword, new Subject());
|
| // Durchführung des Logins
| try {
| if(aLoginContext != null) {
| aLoginContext.login();
| }
| } catch (LoginException e) {
| getLogger().log(LogLevel.DEBUG, CommonResources.getMsg("view.LoginView.auth.failed"), e);
| return false;
|
| }
|
| try {
| String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
| getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
| ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
| //TODO locale session
| bean.startLocaleSession("a");
|
| User aUser = getUser(mUsername);
| if(aUser != null) {
| mIsAdmin = aUser.getRole().isAdmin();
| } else {
| mIsAdmin = false;
| }
|
| } catch (RuntimeException e) {
| getLogger().log(LogLevel.ERROR, "{0}", e);
| return false;
| } catch (NamingException e) {
| getLogger().log(LogLevel.ERROR, "{0}", e);
| return false;
| }
|
| fireEvent(true);
| return true;
| }
|
After execution the Java-Swing-Webstart client can call any restircted EJB method for the role of the logged-in user. For Example
| String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
| getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
| ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
| bean.startLocaleSession("a");
|
|
I use the same mechanism for seam. I wrote an Authenticator.
@Stateful
| @Name("authenticator")
| @Local( { SeamAuthenticator.class })
| public class SeamAuthenticatorImpl implements SeamAuthenticator {
|
| public SeamAuthenticatorImpl() {
|
| }
|
| @SuppressWarnings("unchecked")
| @PermitAll
| public boolean login() {
| Identity aIdentity = Identity.instance();
| String aUsername = aIdentity.getUsername();
| String aPassword = aIdentity.getPassword();
| Identity.setSecurityEnabled(true);
| if (aPassword == null) {
| aPassword = "admin";
| aIdentity.setPassword(aPassword);
| }
| mCtrl = ClientFactory.getClientLoginCtrl();
| LoginContext aLoginContext = mCtrl.createLoginContext(aUsername, aPassword.toCharArray(), aIdentity.getSubject());
| if(aLoginContext != null) {
| try {
| aIdentity.authenticate(aLoginContext);
| try{
| String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
| getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
| ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
| bean.startLocaleSession("a");
| }
| }catch(NamingException e) {
| getLogger().log(LogLevel.ERROR, "{0}", e);
| e.printStackTrace();
| }
| return aIdentity.isLoggedIn();
| } catch (LoginException e) {
| getLogger().log(LogLevel.ERROR, "{0}", e);
| e.printStackTrace();
| return false;
| }
| }
| return false;
| }
|
| @Destroy @Remove
| public void destroy() {}
|
| /*
| * with the @Out annotation this bean can change the value of the <code>user</code>
| * context variable and make the new instance available to other session
| * beans and JSF pages
| */
| @SuppressWarnings("unused")
| @Out(required = false, scope = SESSION)
| private User user;
|
| private ClientLoginController mCtrl;
|
| static Logger getLogger() {
| return CommonFactory.getLogManager().getLogger(
| SeamAuthenticatorImpl.class.getName());
| }
| }
The authentication works , Identity.isLoggedIn() == true, but the call bean.startLocaleSession("a"); fails. with
| 23:42:40,468 ERROR [ClientLoginCtrlImpl] Error: javax.ejb.EJBAccessException: Authorization failure|utab
| javax.ejb.EJBAccessException: Authorization failure
| at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
| at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240)
| at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210)
| at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84)
| at $Proxy343.qryUser(Unknown Source)
| at impl.x.x.common.client.ctrl.ClientLoginCtrlImpl.getUser(ClientLoginCtrlImpl.java:89)
| at impl.x.x.server.ctrl.SeamAuthenticatorImpl.login(SeamAuthenticatorImpl.java:67)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
| at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
| at org.jboss.seam.intercept.EJBInvocationContext.proceed(EJBInvocationContext.java:44)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
| at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:46)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.persistence.ManagedEntityIdentityInterceptor.aroundInvoke(ManagedEntityIdentityInterceptor.java:48)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.persistence.EntityManagerProxyInterceptor.aroundInvoke(EntityManagerProxyInterceptor.java:26)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.persistence.HibernateSessionProxyInterceptor.aroundInvoke(HibernateSessionProxyInterceptor.java:27)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
| at org.jboss.seam.intercept.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:50)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118)
| at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.entity.ExtendedPersistenceContextPropagationInterceptor.invoke(ExtendedPersistenceContextPropagationInterceptor
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.tx.TxPolicy.invokeInCallerTx(TxPolicy.java:126)
| at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:195)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.stateful.StatefulInstanceInterceptor.invoke(StatefulInstanceInterceptor.java:83)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
| at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
| at org.jboss.ejb3.stateful.StatefulContainer.localInvoke(StatefulContainer.java:206)
| at org.jboss.ejb3.stateful.StatefulLocalProxy.invoke(StatefulLocalProxy.java:119)
| at $Proxy322.login(Unknown Source)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.seam.util.Reflections.invoke(Reflections.java:21)
| at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
| at org.jboss.seam.intercept.ClientSideInterceptor$1.proceed(ClientSideInterceptor.java:76)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
| at org.jboss.seam.ejb.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:41)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
| at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
| at org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:54)
| at org.javassist.tmp.java.lang.Object_$$_javassist_2.login(Object_$$_javassist_2.java)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
| at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
| at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
| at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
| at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
| at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:174)
| at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:108)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
| at org.jboss.seam.security.Identity.authenticate(Identity.java:259)
| at org.jboss.seam.security.Identity.authenticate(Identity.java:248)
| at org.jboss.seam.security.Identity.login(Identity.java:205)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
| at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
| at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
| at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
| at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
| at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
| at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:77)
| at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:91)
| at javax.faces.component.UICommand.broadcast(UICommand.java:383)
| at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
| at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
| at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
| at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:97)
| at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
| at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117)
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
| at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:68)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
| at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
| at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
| at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
| at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
| at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
| at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
| at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
| at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
| at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
| at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
| at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
| at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
| at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
| at java.lang.Thread.run(Thread.java:595)
|
Whats wrong ? Why i cant call a restricted EJB method ?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116131#4116131
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4116131
More information about the jboss-user
mailing list