Hi Oleg,
This feature was added to the standalone client in Geronimo 2.0.
-David
On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
Hi All,
I am trying to set up JAAS login for standalone client.
On server I have successfully deployed EAR with the following
security section in geronimo-application.xml:
<security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
<default-principal realm-name="irbis">
<principal
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci
pal"
name="anonymous"/>
</default-principal>
<role-mappings>
<role role-name="user">
<realm realm-name="irbis">
<principal name="user"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrinc
ipal"/>
</realm>
</role>
</role-mappings>
</security>
<gbean name="irbis"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">irbis</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<reference name="LoginService">
<name>JaasLoginService</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<login-config xmlns="http://geronimo.apache.org/xml/ns/
loginconfig-1.1">
<login-module control-flag="REQUIRED" server-
side="true" wrap-principals="true">
<login-domain-name>irbis</login-domain-name>
<login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</
login-module-class>
</login-module>
</login-config>
</xml-reference>
</gbean>
Client code:
LoginContext lc = new LoginContext("irbis", _callbackHandler);
lc.login();
...
Properties props = new Properties();
props.setProperty("java.naming.factory.initial",
"org.openejb.client.RemoteInitialContextFactory");
props.setProperty("java.naming.provider.url", "localhost:4201");
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
UserRegistryHome regHome = (UserRegistryHome)
PortableRemoteObject.narrow(ic.lookup("<bean jndi
name>",
UserRegistryHome.class);
The first piece of code with lc.login() works fine, server login
module is invoked. But I am not sure that Geronimo stores the
principal and the credentials from the login somewhere in order use
them later during bean methods invocation (as JBoss does). Probably
this piece of code is useless for Geronimo, right?
So I provide principal and credentials during JNDI lookup() as
Geronimo documentation suggests. I hoped they were somehow
transferred to server LoginModule. But they are not. Instead I am
getting the following exception:
java.rmi.AccessException: access denied
(javax.security.jacc.EJBMethodPermission
core.user.registry.UserRegistry create,Home,)
at org.openejb.security.EJBSecurityInterceptor.invoke
(EJBSecurityInterceptor.java:106)
at org.openejb.security.EJBRunAsInterceptor.invoke
(EJBRunAsInterceptor.java:85)
at org.openejb.slsb.StatelessInstanceInterceptor.invoke
(StatelessInstanceInterceptor.java:98)
at org.openejb.transaction.ContainerPolicy$TxSupports.invoke
(ContainerPolicy.java:198)
at
org.openejb.transaction.TransactionContextInterceptor.invoke
(TransactionContextInterceptor.java:80)
at org.openejb.SystemExceptionInterceptor.invoke
(SystemExceptionInterceptor.java:82)
at org.openejb.GenericEJBContainer
$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
at org.openejb.GenericEJBContainer.invoke
(GenericEJBContainer.java:238)
at org.openejb.server.ejbd.EjbRequestHandler.invoke
(EjbRequestHandler.java:297)
at
org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE
(EjbRequestHandler.java:342)
at org.openejb.server.ejbd.EjbRequestHandler.processRequest
(EjbRequestHandler.java:206)
at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:
150)
at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:
87)
at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$
$d379d2ff.invoke(<generated>)
at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
at
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke
(FastMethodInvoker.java:38)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke
(GBeanOperation.java:122)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke
(GBeanInstance.java:817)
at org.apache.geronimo.gbean.runtime.RawInvoker.invoke
(RawInvoker.java:57)
at
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke
(RawOperationInvoker.java:35)
at
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept
(ProxyMethodInterceptor.java:96)
at org.activeio.xnet.ServerService$$EnhancerByCGLIB$
$6635a4ab.service(<generated>)
at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
at org.apache.geronimo.pool.ThreadPool$1.run
(ThreadPool.java:172)
at org.apache.geronimo.pool.ThreadPool
$ContextClassLoaderRunnable.run(ThreadPool.java:289)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor
$Worker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:595)
Under debugger I see that inside EJBSecurityInterceptor the wrong
Subject is used, it's "anonymous", which is declared as default-
principal, and not "admin", which is passed to JNDI context.
What am I doing wrong?
Thanks in advance,
Oleg