Hi,
I have been fighting this thing for days. I have read the JAAS how to and I've read
through the whole forum and still not got this right.
Maybe I've become blind to my own code.
I use jboss-3.2.5.
The architecture of my application is following:
I have an ear that holds one jar package of one single Statefull Session Bean. It also
holds one war package of one single html file, one jnlp file (web start init file) and
packed and signed jar package
of a web start client application. One thing that I am not quite sure is right way to
go, is that I also deploy the client jar as it self inside the ear. Is that a correct
approach as on many threads on this forum people are talking about j2ee.clientName
jndi attribute?
All of the packages have their own descriptors in place, I'll show them in the end of
this post.
The application environment works fine. Both as offline client and from web start
deployment.
When I started trying to fix this JAAS thing I first used my own LoginModule and
Principal. Authentication worked fine, the problems started when I wanted to use
authorization on my SessionBeans methods.
The exception of IllagaState has been around all the time when I call the
isCallerInRole in a SessionBean.
'java.lang.IllegalStateException: isCallerInRole() called with no security context.
Check that a security-domain has been set for the application'
Now I do the authentication this way: I have client side conf and policy files, policy
is AllPermissions and conf uses ClientLoginModule. This is able to put principal and
credential using SecurityAssociationHandler and perform login.
After this I create SessionBean that makes its own login using the same code and uses
DatabaseServerLoginModule.
I have both in server side client/auth.conf and server/default/conf/login-config.xml
set both the ClientLoginModule and DatabaseServerLoginModule in use.
In server.log TRACE it states that the Principal is authenticated and roles are set,
after this I can loop through in the SessionBean the lc.getSubject() and the roles are
there.
I have stated in the descriptors security roles and method permissions and the
security-domain.
I have by now tried this with two session beans and several different options on roles
and unchecked and it just feel amazing some has got this right.
Here are the description files and all other conf files.
JaasClient.policy
************************************
grant
{
permission java.security.AllPermission;
};
JaasClient.conf
*************************************
client {
org.jboss.security.ClientLoginModule required;
};
jboss.xml
**************************************
<?xml version="1.0"?>
<security-domain>java:/jaas/Test</security-domain>
<enterprise-beans>
<ejb-name>LoginSessionEJB</ejb-name>
<jndi-name>ejb/LoginSessionHome</jndi-name>
</enterprise-beans>
application.xml
*****************************************
<?xml version="1.0"?>
<!DOCTYPE application PUBLIC
"-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
"http://java.sun.com/dtd/application_1_3.dtd";>
<display-name>Test application</display-name>
Test
Test_EJB.jar
<web-uri>Test.war</web-uri>
<context-root>Test</context-root>
Test_Client.jar
ejb-jar.xml
***********************************************
<?xml version="1.0"?>
<!DOCTYPE ejb-jar PUBLIC
"-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN"
"http://java.sun.com/dtd/ejb-jar_2_0.dtd";>
<ejb-jar>
<enterprise-beans>
<!-- Business Session Bean -->
<ejb-name>LoginSessionEJB</ejb-name>
session.LoginSessionHome
session.LoginSessionRemote
<ejb-class>session.LoginSessionBean</ejb-class>
<session-type>Stateful</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>USER</role-name>
<role-link>USER</role-link>
</security-role-ref>
<security-role-ref>
<role-name>UNKNOWN</role-name>
<role-link>UNKNOWN</role-link>
</security-role-ref>
</enterprise-beans>
<assembly-descriptor>
<security-role>
USER
<role-name>USER</role-name>
</security-role>
<security-role>
UKNOWN
<role-name>UNKNOWN</role-name>
</security-role>
<method-permission>
<role-name>USER</role-name>
<ejb-name>LoginSessionEJB</ejb-name>
<method-name>*</method-name>
</method-permission>
<method-permission>
<role-name>UNKNOWN</role-name>
<ejb-name>LoginSessionEJB</ejb-name>
<method-name>*</method-name>
</method-permission>
<container-transaction>
<ejb-name>LoginSessionEJB</ejb-name>
<method-name>*</method-name>
<trans-attribute>Required</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
jboss-web.xml
*********************************************
<jboss-web>
<ejb-ref>
<jndi-name>LoginSessionEJB</jndi-name>
<ejb-ref-type>Session</ejb-ref-type>
session.LoginSessionHome
session.LoginSessionRemote
<ejb-link>LoginSessionEJB</ejb-link>
</ejb-ref>
</jboss-web>
web.xml
***************************************************
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<!--
<small-icon>images/small_m.png</small-icon>
<large-icon>images/large_m.png</large-icon>
-->
<display-name>Test_Client</display-name>
WebModule to handle the java web start application that will serve as client.
<welcome-file-list>
<welcome-file>Test_Client.html</welcome-file>
</welcome-file-list>
<ejb-ref>
<ejb-ref-name>ejb/LoginSessionHome</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
session.LoginSessionHome
session.LoginSessionRemote
<ejb-link>LoginSessionEJB</ejb-link>
</ejb-ref>
</web-app>
jboss-client.xml
*********************************************************
<jboss-client>
<jndi-name>TestClient</jndi-name>
<ejb-ref>
<ejb-ref-name>LoginSessionEJB</ejb-ref-name>
<jndi-name>LoginSessionEJB</jndi-name>
</ejb-ref>
</jboss-client>
application-client.xml
**********************************************************
<application-client>
<display-name>Test Client</display-name>
<ejb-ref>
<ejb-ref-name>LoginSessionEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
session.LoginSessionHome
session.LoginSessionRemote
</ejb-ref>
</application-client>
login-config.xml
************************************************************
<application-policy name = "Test">
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginMo dule"
flag="required">
<module-option name ="dsJndiName">java:/MySqlDS</module-option>
<module-option name="principalsQuery">select password from user where
username=?</module-option>
<module-option name="rolesQuery">select role, 'Roles' from role where
username=?</module-option>
</login-module>
</application-policy>
I already checked that the indexes of database table cells match the way they are
suposed to with this DatabaseServerLoginModule. 0 username, 1 role, 2 repalced by
'Roles'
auth.conf
*********************************************************
srp-client {
// Example client auth.conf for using the SRPLoginModule
org.jboss.security.srp.jaas.SRPLoginModule required
password-stacking="useFirstPass"
principalClassName="org.jboss.security.SimplePrincipal"
srpServerJndiName="SRPServerInterface"
debug=true
;
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
password-stacking="useFirstPass"
;
// Put your login modules that need jBoss here
};
Test {
org.jboss.security.ClientLoginModule required;
org.jboss.security.auth.spi.DatabaseServerLoginModule required;
}
other {
// jBoss LoginModule
org.jboss.security.ClientLoginModule required;
// Put your login modules that need jBoss here
};
For some reason the preview does not show the application.xml properly, hopefully it
is readable, the module tags disapeared on it for some reason. I descibe the client as
java module in it.
Hopufully someone of you see's what I have done wrong.
Thanks for help in advance
Henri
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3852888#3852888
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3852888
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
