There are a few things you need to do:
I have not tried this with 2.2.1 but from the jboss-tomcat-2.2 download:
To secure the beans for access from a java client
edit $JBOSS/conf/default/auth.conf and add this entry
other {
org.jboss.security.plugins.samples.DatabaseServerLoginModule required
dsJndiName="java:/DefaultDS" principalsQuery="select Password from
Principals where PrincipalID=?" rolesQuery="select Role, RoleGroup from
Roles where PrincipalID=?";
};
Note that dsJndiName=" .... is all one line
This is using the default datasource (if you have not changed this it will
be using the hypersonic database. You will need to create two tables to
supply the users/password and the roles
create table principals
principalid varchar(64) primary key,
password varchar(64)
)
create table roles
principalid varchar(64),
role varchar(64),
rolegroup varchar(64),
primary key (principalid, role),
foreign key (principalid) references principals (principalid)
)
To add a user admin, password adm with the role administrator:
insert into principals values ('admin', 'adm')
insert into roles values ('admin', 'administrator', null)
You will now need to tell the container to use this security setting.
in the META-INF directory for you beans add a file called jboss.xml with the
following content:
<?xml version="1.0"?>
<jboss>
<!-- All bean containers use this security manager by default -->
<security-domain>java:/jaas/other</security-domain>
<container-configurations>
<container-configuration>
<container-name>Standard CMP EntityBean</container-name>
<role-mapping-manager>java:/jaas/other</role-mapping-manager>
<authentication-module>java:/jaas/other</authentication-module>
</container-configuration>
<container-configuration>
<container-name>Standard Stateless SessionBean</container-name>
<role-mapping-manager>java:/jaas/other</role-mapping-manager>
<authentication-module>java:/jaas/other</authentication-module>
</container-configuration>
<container-configuration>
<container-name>Standard Stateful SessionBean</container-name>
<role-mapping-manager>java:/jaas/other</role-mapping-manager>
<authentication-module>java:/jaas/other</authentication-module>
</container-configuration>
</container-configurations>
</jboss>
This over rides the default container settings telling the container to use
the 'other' config that was setup in the previous step.
in your ejb-jar.xml you need to setup the method descriptions
<assembly-descriptor>
<!-- Declare a security role called tomcat -->
<security-role>
<role-name>administrator</role-name>
</security-role>
<!-- define the method permission for each bean.
Below all the methods od SimpleSession and SimpleEntity are assigned
the
security role tomcat -->
<method-permission>
<role-name>administrator</role-name>
<method>
<ejb-name>SimpleSession</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
<method-permission>
<role-name>administrator</role-name>
<method>
<ejb-name>SimpleEntity</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
This means that all the methods on SimpleSession and SimpleEntity need the
user to have a role administrator.
Your java client needs to be able to supply the username and password. This
is done using a callback.
A simple java client looks like this:
import java.io.IOException;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
public class SessionClient
{
static String getUserName()
{
System.out.print("Name: ");
try {
byte[] buf = new byte[256];
int read = System.in.read(buf, 0, buf.length);
System.out.println();
return new String(buf, 0, read).trim();
} catch (IOException ex) {
return null;
}
}
static char[] getPassword()
{
System.out.print("Password: ");
try {
byte[] buf = new byte[256];
int read = System.in.read(buf, 0, buf.length);
System.out.println();
return new String(buf, 0, read).trim().toCharArray();
} catch (IOException ex) {
return null;
}
}
static class AppCallbackHandler implements CallbackHandler
{
private String username;
private char[] password;
public AppCallbackHandler(String username, char[] password)
{
this.username = username;
this.password = password;
}
public void handle(Callback[] callbacks) throws
java.io.IOException, UnsupportedCallbackException
{
for (int i = 0; i < callbacks.length; i++)
{
if (callbacks[i] instanceof NameCallback)
{
NameCallback nc = (NameCallback)callbacks[i];
nc.setName(username);
}
else if (callbacks[i] instanceof PasswordCallback)
{
PasswordCallback pc = (PasswordCallback)callbacks[i];
pc.setPassword(password);
}
else
{
throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
}
}
}
}
public static void main(String args[]) throws Exception
{
try
{
String name = "admin";
char[] password = new String("adm").toCharArray();
if( args.length >= 2 )
{
name = args[0];
password = args[1].toCharArray();
}
System.setProperty("java.security.auth.login.config",
"file:///g:/jboss-tomcat--2.2/jboss-2.2/client/auth.conf" );
AppCallbackHandler handler = new AppCallbackHandler(name,
password);
LoginContext lc = new LoginContext("TestClient", handler);
System.out.println("Created LoginContext");
lc.login();
}
catch (LoginException le)
{
System.out.println("Login failed");
le.printStackTrace();
}
try
{
InitialContext iniContext = new InitialContext();
SimpleSessionHome home = (SimpleSessionHome)
iniContext.lookup("SimpleSession");
SimpleSession bean = home.create();
// make calls on the bean
bean.remove();
}
catch(Exception e)
{
e.printStackTrace();
}
}
}
To integrate the security with tomcat as well;
Get the cvs download and copy contrib/tomcat/tomcat-service.jar to
jboss2.2/lib/ext (there is a bug in the 2.2 distribution)
Edit the tomcat/conf/server.xml file
<RequestInterceptor
className="org.apache.tomcat.request.JDBCRealm"
debug="99"
driverName="org.hsql.jdbcDriver"
connectionURL="jdbc:HypersonicSQL:hsql://localhost:1476"
connectionName="sa"
connectionPassword=""
userTable="principals"
userNameCol="PrincipalID"
userCredCol="password"
userRoleTable="roles"
roleNameCol="role" />
<RequestInterceptor className="org.jboss.tomcat.security.JbossRealm"
/>
It is important to check these entries do not already exist in server.xml
and not to replicate them if they do.
Also make sure that other 'Realm' interceptors are commented out such as
SimpleRealm. The best way of adding the above interceptors is to search for
SimpleRealm and make sure that SimpleRealm is commented out then add the
JDBCRealm before it. JDBCRealm MUST come before SimpleRealm
edit the jboss-2.2/conf/tomcat/jboss.properties and make sure the
java.security.auth.login.config points to the tomcat config (Note that the
above step specifying 'other' in auth.conf would be done in
jboss-2.2/conf/tomcat instead of in default)
java.security.auth.login.config==file:../conf/tomcat/auth.conf
That should be it.
Hope it goes well
Dug
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of John P.
> Coffey
> Sent: 28 April 2001 10:26
> To: [EMAIL PROTECTED]
> Subject: [JBoss-user] JAAS Tutorial
>
>
> I'm very new at using JBoss and my first task is to attempt to secure an
> existing set of EJB beans via roles and users. I intend using a
> database to
> store these in. I am looking for a good staring point. I spent an
> inordinate amount of time looking for a step by step guide on how
> to enable
> the JBOSS server right out of the zip (so to speak) with the JAAS
> extensions. I have only been partially succesfull in identifying
> the steps
> required. Here is why I am confused. It seems like JBossSX is
> the part of
> the product, however it looks like this is separate code that one
> downloads
> as per the CVS source code (it is specified as a separate JBoss
> Project from
> the home page). I eventually tracked down a HowTo on the Security Walk
> Through - first cut, however the LoginModules and CD sample that are
> refereced are nowhere to be found in the vanilla off the shelf install.
> Where should I find these pieces to the puzzle and how can I build them?
>
> Does anybody out there have some examples on how to do this? An updated
> version of this howto would be invaluable
>
> Any help on this matter would be greatly appreciated
>
> John Coffey
> Pingtel Corporation
>
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
