[jboss-user] [JCA/JBoss] - Passing current user identity to the back-end database

sztank do-not-reply at jboss.com
Thu Jul 12 14:02:28 EDT 2007


I'm developing an application with the following requirement:

All users have a database accounts and the application level authorization should be used also with the database. So I need to pass through the current user identity to the back-end database. 

I'm using Jboss as 4.0.5 and Jboss Seam 1.2.1. The project I start with is generated with seam-gen utility. I get some directions  on the Seam forum that this should be possible with proper configuration of the JCA datasource.

According to the informations I founded on wiki and docs I trying to use CallerIdentityLoginModule in the following way:

I added policy to the login-config.xml file

  | <application-policy name = "testdbRealm">
  |     <authentication>
  |       <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
  |           <module-option name = "userName">dumy</module-option>
  |           <module-option name = "password">dumy_pwd</module-option>
  |          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option>
  |       </login-module>
  |    </authentication>
  | </application-policy>

datasource config file dbtest-ds.xml:

  | <datasources>
  |    <local-tx-datasource>
  |       <jndi-name>dbtestDatasource</jndi-name>
  |       <connection-url>jdbc:postgresql:dbtest</connection-url>
  |       <driver-class>org.postgresql.Driver</driver-class>
  |       <security-domain>testdbRealm</security-domain>
  |    </local-tx-datasource>
  | </datasources>

web.xml file:

  | <security-constraint>
  |   <display-name>Restrict raw XHTML Documents</display-name>
  |   <web-resource-collection>
  |    <web-resource-name>XHTML</web-resource-name>
  |    <url-pattern>*.xhtml</url-pattern>
  |    <http-method>GET</http-method>
  |    <http-method>POST</http-method>
  |   </web-resource-collection>
  |   <auth-constraint>
  |    <role-name>admin</role-name>
  |   </auth-constraint>
  |  </security-constraint>
  |  <login-config>
  |   <auth-method>BASIC</auth-method>
  |   <realm-name>testdbRealm</realm-name>
  |  </login-config>
  |  <security-role>
  |   <role-name>admin</role-name>
  |  </security-role>

And according to the Seam doc I set the jaas-config-name property in the components.xml file:

  | <security:identity authenticate-method="#{authenticator.authenticate}"
  |    					  jaas-config-name="testdbRealm"/>

Now I have the following behavior:
The application deploys and works, the *.xhtml pages are displayed but application is not asking for authorization. The database connection is set with the default user and pwd provided in the login-config.xml file (dumy, dumy_pwd). 

When I try to remove the default user and pwd from the login-config.xml file:

  | <application-policy name = "testdbRealm">
  |     <authentication>
  |       <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
  |          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option>
  |       </login-module>
  |    </authentication>
  | </application-policy>

then I have errors during deployment because the database connection can't be created (I'm not sure why - think that hibernate try to open the database during the deployment to do its mapping job). I see in server logs that CallerIdentityLoginModule is used. 

I stick on this problem and don't know how finish seting up things to enforce the behavior I write about on the beginning. Do I have to call CallerIdentityLoginModule directly from my application? 

I'm trying to resolve this issue for quite a long time. I'm not the JBoss and J2EE specialist (yet) (I'm the one who believed that building application's with JBoss + Seam combo is simple and trying to follow) so I appreciate any help and explanations how this mechanism works very much.

Best Regards

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4063654#4063654

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4063654

More information about the jboss-user mailing list