[jboss-user] [Security] - Re: Caller unauthorized on using a ejb3 statetlesssessionbea
praenti
do-not-reply at jboss.com
Fri Oct 9 10:25:45 EDT 2009
Ok, I have some new errors using a servlet, but this is also not working.
After I had a deeper look into the Web based authentication, I've seen that this is not usable for my usecase, because the service must be also usable over a Public-Key-Infrastructure. The Web based authentication does not support that.
What I've seen the JAASLoginModule is called ervery time I access an EJB. The strange thing is that the login works, but on accessing an EJB I get an Invalid user error and a message "Bad password for username=null" from JAAS, so it looks that the JAAS module forgets my username and password I logged in before successfully. I suppose, this is the problem of the previous error.
The question now is how I can solve that issue.
This is the complete error until the call of the EJB method:
| 16:12:42,099 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou=External,ou=People,ou=Access
| 16:12:42,099 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS, rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=extern.michael.obster, ou=External,ou=People,ou=Access, jboss.security.security_domain=cancardDomain, java.naming.provider.url=ldap://ldaphost, java.naming.security.authentication=simple, java.naming.security.credentials=***, principal.dn.groups=ou=Corporate,ou=People,ou=Access:ou=External,ou=People,ou=Access}
| 16:12:42,130 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext at 9e50cd
| 16:12:42,130 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role", gid: 12A44E672EA8C49B
| 16:12:42,146 INFO [LoginServlet] User extern.michael.obster: login successfull!
|
| 16:12:42,146 DEBUG [LoginServlet] init JAASInterceptor: loginDomain:cancardDomain clientLoginDomain:client-login
| 16:12:42,193 INFO [SpiiderLoginModule] LdapLoginModule, dsJndiName=cancardviewerDS
| 16:12:42,193 INFO [SpiiderLoginModule] rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "security".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role"
| 16:12:42,193 INFO [SpiiderLoginModule] defaultRole=RegularUser
| 16:12:42,193 DEBUG [SpiiderLoginModule] Bad password for username=null
| 16:12:42,193 ERROR [[LoginServlet]] Servlet.service() for servlet LoginServlet threw exception
| javax.ejb.EJBAccessException: Invalid User
| at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3Au
| thenticationInterceptorv2.java:165)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
| java:102)
| at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterce
| ptor.java:41)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
| java:102)
| at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContaine
| rShutdownInterceptor.java:67)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
| java:102)
| at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invo
| ke(CurrentInvocationInterceptor.java:67)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
| java:102)
| at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessCo
| ntainer.java:421)
| at org.jboss.ejb3.remoting.IsLocalInterceptor.invokeLocal(IsLocalInterce
| ptor.java:85)
| at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.
| java:72)
| at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
| java:102)
| at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
| at $Proxy488.invoke(Unknown Source)
| at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
| erBase.invoke(SessionProxyInvocationHandlerBase.java:207)
| at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
| erBase.invoke(SessionProxyInvocationHandlerBase.java:164)
| at $Proxy561.updateUser(Unknown Source)
|
And the class LoginServlet.java:
| package vwg.audi.cancard.webservlet;
|
| import java.io.IOException;
|
| import javax.ejb.EJBAccessException;
| import javax.servlet.ServletException;
| import javax.servlet.http.HttpServlet;
| import javax.servlet.http.HttpServletRequest;
| import javax.servlet.http.HttpServletResponse;
|
| import org.apache.log4j.Logger;
| import org.jboss.web.tomcat.security.login.WebAuthentication;
|
| import com.arjuna.ats.arjuna.recovery.Service;
|
| public class LoginServlet extends HttpServlet
| {
| private Logger log = Logger.getLogger(LoginServlet.class);
|
| /**
| *
| */
| private static final long serialVersionUID = -5539909157863711284L;
|
| /**
| * Process the HTTP Get request
| */
| public void doGet(HttpServletRequest request, HttpServletResponse response)
| throws ServletException, IOException
| {
| serveRequest(request, response);
| }
|
| /**
| * Process the HTTP Post request
| */
| public void doPost(HttpServletRequest request, HttpServletResponse response)
| throws ServletException, IOException
| {
| serveRequest(request, response);
| } // doPost
|
| /**
| * In dieser Methode findet die eigentliche Verarbeitung des
| * HTTPServletRequests statt. Sie wird von den beiden public Methoden doPost
| * und doGet aufgerufen.
| */
| public void serveRequest(HttpServletRequest request,
| HttpServletResponse response) throws ServletException, IOException
| {
| String username = "extern.michael.obster";
| String pass = "mypassword";
| // login first
| try {
| login(username, pass);
| }
| catch (Exception e) {
| log.error("Fehler:", e);
| }
|
| String loginDomain = "cancardDomain";
| String clientLoginDomain = "client-login";
| if (log.isDebugEnabled()) {
| log.debug("init JAASInterceptor: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
| }
|
| // lets try to access ejb3
| try {
| ServiceLocator.getInstance().getUserService().updateUser();
| }
| catch (ServiceLocatorException e) {
| log.error("ServiceLocator error:", e);
| }
| }
|
| /**
| * Helper method for logging in
| * @param username
| * @param strPassword
| * @return
| * @throws Exception
| */
| private String login(String username, String strPassword) throws Exception {
| String loginDomain = "cancardDomain";
| String clientLoginDomain = "client-login";
|
| log.debug("LoginAction: loginDomain:" + loginDomain + " clientLoginDomain:" + clientLoginDomain);
| try {
| LoginFacade loginFacade = new LoginFacade(loginDomain, clientLoginDomain);
| loginFacade.login(username, strPassword);
| } catch (JAASLoginException jaasEx) {
| log.info("User " + username + ": login NOT successfull! " + jaasEx.getErrorKey(), jaasEx);
| return jaasEx.getErrorKey();
| } catch (EJBAccessException ejbEx) {
| //No permission for application
| log.warn(ejbEx);
| Exception ex = ejbEx.getCausedByException();
| log.info("User " + username + ": login NOT successfull! " + ejbEx.getMessage(), ejbEx);
|
| if (ex instanceof SecurityException) {
| return JAASConstants.NO_RIGHTS;
| } else {
| return JAASConstants.USER_NOT_AUTHENTICATED;
| }
| }
| catch (Exception ex) {
| log.info("User " + username + ": login NOT successfull! " + ex.getMessage(), ex);
| throw ex;
| // return JAASConstants.NO_RIGHTS;
| }
| log.info("User " + username + ": login successfull!");
| return JAASConstants.USER_IS_VALID;
| }
|
| }
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4259657#4259657
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4259657
More information about the jboss-user
mailing list