[jboss-user] [Security & JAAS/JBoss] - After Login standalone client -> getCallerPrincipal on JBos

noFreak do-not-reply at jboss.com
Thu Sep 4 14:48:06 EDT 2008

Hi all,
i have wrote a client side LoginModule which aquires a Kerberos Service Ticket and than "send it" to JBoss. This works with the SecurtiyAssociationActions (i have copied the class to the client...i know, its not very good...), the same way like the ClientLoginModule do this:

SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject);

the loginCredential contains the kerberos Service Ticket. This is done by the KerberosClientLoginModule class.

Then, on the servcer side i use the Service Ticket to authenticate the user (with win2k3 server exchange and Java GSS-API functions). This is done by the KerberosJBossLoginModule. It works fine. After thats done I use the IdentityRoleMappingLoginModule to obtain the roles from my database with help of the username. only the name of the user (the database don't contains information about the service ticket, but except for the username) is used for this.It works fine to. This Modlue depends on the DatabaseLoginModule and do following with the obtained (correct) username:

But then i want to use the sessionContext.getCallerPrincipal in the ejb and i get an empty String. Furthermore is use the ClientLoginModule and third loginModule like following:

<application-policy name="orga-security">
  | 	<authentication>
  | 		<login-module code="com.mgsoftech.orga.security.KerberosJBossLoginModule" 			flag="requisite">
  | 			<module-option name="storeKey">true</module-option>
  | 			<module-option name="isInitiator">false</module-option>
  | 			<module-option name="krbRealm">myDomain</module-option>
  | 			<module-option name="name">JBossUserName</module-option>
  | 			<module-option name="password">JBossPW</module-option>
  | 			<module-option name="kdcAddress">ipAddres</module-option>
  | 			<module-option name="debug">true</module-option>
  | 		</login-module>
  | 		<login-module 	code="com.mgsoftech.orga.security.IdentityRoleMappingLoginModule"
  | 				flag="required">
  | 			<module-option name="password-stacking">
  | 				useFirstPass
  | 			</module-option>
  | 			<module-option name="dsJndiName">
  | 				workingDBName
  | 			</module-option>
  | 			<module-option name="rolesQuery"> workingRolesQuery
  | 			</module-option>
  | 		</login-module>
  | 		 <login-module code="org.jboss.security.ClientLoginModule" flag="required">
  | 			<module-option name="password-stacking">
  | 				useFirstPass
  | 			</module-option>
  | 			<module-option name="multi-threaded">
  | 				true
  | 			</module-option>
  | 		</login-module>
  | 	</authentication>
  | </application-policy>

but sessionContext.getCallerPrincipal don't work, although i use the clientLoginModule...:(
do anybody know what i could do wrong?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4174406#4174406

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4174406

More information about the jboss-user mailing list