[jboss-user] [Security] - Re: Caller unauthorized on using a ejb3 statetlesssessionbea
praenti
do-not-reply at jboss.com
Mon Oct 5 09:36:03 EDT 2009
Using the Webauthentication does only have to be used from the interceptor instead of my own LoginFacade as I have seen. First of all is this correct?
So I hope I've moved to WebAuthetication in the correct way. I have seen a example how to implement a struts 1 filter. I have used the code to implement my struts 2 interceptor.
And this is the current error:
| 15:05:30,318 DEBUG [RealmBase] Username extern.michael.obster does NOT have role AdminUser
|
The login principal in the LoginModule gives me a mapping "extern.michael.obster" to "AdminUser", so this is in some way a discrepance, which I suppose that s.th. of the security context is lost (therefor I wanted to have "deeper" debugging, but I don't see a way how to do it because I cannot get a better acces into the JBossWebRealm.java).
This is my new JaasLoginInterceptor:
| /**
| *
| */
| package vwg.audi.cancard.ui.interceptor;
|
| import javax.servlet.ServletException;
| import javax.servlet.http.HttpServletRequest;
|
| import org.apache.log4j.Logger;
| import org.apache.struts2.ServletActionContext;
| import org.jboss.web.tomcat.security.login.WebAuthentication;
|
| import vwg.audi.cancard.business.LoginFacade;
| import vwg.audi.cancard.ui.JAASConstants;
|
| import com.opensymphony.xwork2.Action;
| import com.opensymphony.xwork2.ActionInvocation;
| import com.opensymphony.xwork2.interceptor.Interceptor;
|
| /**
| * JAASLoginFilter
| *
| * @author Michael Obster
| */
| public class JAASLoginInterceptor implements Interceptor {
|
| private static final long serialVersionUID = -1983088770872827621L;
|
| private Logger log = Logger.getLogger(this.getClass());
|
| String loginDomain = "";
| String clientLoginDomain = "";
|
| LoginFacade loginFacade;
|
| @Override
| public void init() {
|
| }
|
| @Override
| public String intercept(ActionInvocation actionInvocation) throws Exception {
| HttpServletRequest request = ServletActionContext.getRequest();
|
| String servletPath = request.getServletPath();
| String pathInfo = request.getPathInfo();
| String path = (servletPath == null ? "" : servletPath)
| + (pathInfo == null ? "" : pathInfo);
| if (log.isDebugEnabled()) {
| log.debug("Login INTERCEPT");
| }
|
| if (!JAASConstants.USER_IS_VALID.equals(request
| .getSession().getAttribute(
| JAASConstants.USER_VALIDITY))) {
| log.info("requested path: " + path);
| return Action.LOGIN;
| }
|
| //Get the user name and password based on some attributes from your FORM post
| String username = (String) request.getSession().getAttribute(JAASConstants.USERNAME); //username can be any attribute
| String pass = (String) request.getSession().getAttribute(JAASConstants.PASSWORD); //pass can be any attribute
|
| if(username == null || pass == null) {
| throw new RuntimeException("username or password is null");
| }
| WebAuthentication pwl = new WebAuthentication();
| pwl.login(username, pass);
|
| if (log.isDebugEnabled()) {
| //Only when there is web login, does the principal be visible
| log.debug("User Principal="+request.getUserPrincipal());
| //Some basic checks to see if the user who just did a programmatic login has a role of "AuthorizedUser"
| log.debug("isUserInRole(Authorized User)="+request.isUserInRole("AdminUser"));
| }
|
| if(request.getUserPrincipal() == null || !request.isUserInRole("AdminUser")) {
| throw new ServletException("User is not authenticated or the isUserInRole check failed");
| }
|
| //Log the user out
| pwl.logout();
|
| if(request.getUserPrincipal() != null || request.isUserInRole("AdminUser")) {
| throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)");
| }
|
| return actionInvocation.invoke();
| }
|
| @Override
| public void destroy() {
| // loginFacade.logout();
| }
|
| }
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4258664#4258664
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4258664
More information about the jboss-user
mailing list