Thanks for the advice, John and Kathleen. First, Kathleen's advice. I
switched on -Djonathan.tcpip.verbose=true in the Tomcat JVM and got
Trying to connect to 193.128.240.155 on port 12340.
Connected to
Socket[addr=joes-pc.rbgkew.org.uk/193.128.240.155,port=12340,localport=3
300]
Trying to connect to 193.128.240.155 on port 3279.
Connected to
Socket[addr=joes-pc.rbgkew.org.uk/193.128.240.155,port=3279,localport=3307]
...which looks fine to me. But tracing out the home still shows the
"0.0.0.0" IP address! I also tried -Djonathan.tcpip.localhost and it didn't
make any difference - unsurprising since it would appear that Jonathan is
resolving IP addresses okay. Perhaps the 0.0.0.0 is a red herring?
Second, following John's suggestion I switched on tracing at all levels in
Jonas (why didn't I think of that before - duh). I get
RoleMechanismImpl.isCallerInRole(name = JOnAS_client,roles :
[Ljava.lang.String;@4aeb52)
RoleMechanismImpl : tomcat, roles : tomcat,
principalRoles : null
sending_reply() : creates reply context null
java.lang.NullPointerException
<<no stack trace available>>
Where the last two lines are reported by me. Looking thru the Jonas source,
I think the NullPointerException is from a null return from
JonasSecurityReceiver.sending_reply(). The code is:
SecurityContext ctx = current.getSecurityContext();
Trace.outln(trace, "sending_reply() : creates reply context "+ ctx+"\n");
return ctx;
The "principalRoles: null" line comes from RoleMechanism.isCallerInRoles().
(NB. The line of trace that says "isCallerInRole" is a typo in the code, it
should say "isCallerInRoles"). As you can see, it's being called with the
principal "JOnAS_client". Where does this come from? From the default
constructor in SecurityContext.java: it's hard-coded in there. All of this
leads me to conclude that req.getUserPrincipal() is returning null in this
code in SecurityCtxInterceptor31.authorize():
Principal principal = req.getUserPrincipal() ;
if (principal != null) {
SecurityContext ctx = new SecurityContext (principal.getName()) ;
SecurityCurrent current = SecurityCurrent.getCurrent () ;
current.setSecurityContext(ctx) ;
}
...which results in the static initializer code in SecurityCurrent creating
a SecurityContext via SecurityContext's default constructor, which hence
has a principal of "JOnAS_client".
If I add "JOnAS_client = tomcat" into jonas-users.properties, I get past
the NullPointerException.... But then get a security exception because
JOnAS_client is the wrong user. I'm sure all this reflects some idiotic
mistake by me - but I can't see what! Has anyone out there got the security
example working?
Joe
-----Original Message-----
From: Kathleen Milsted [SMTP:[EMAIL PROTECTED]]
Sent: Monday, November 13, 2000 4:52 PM
To: Joe Gittings
Cc: jonas
Subject: Re: More security newbie problems :(
Joe Gittings wrote:
>
> There's the rub. I've modified the servlet to print the stack trace: I
just
> get
>
> java.lang.NullPointerException
> <<no stack trace available>>
>
> As I say, it's occurring at the home.create() i.e.
> t1 = home.create("User1");
>
> I know that home is not null because I'm tracing that out. I get:
>
> home=sb.JOnASOpHome_Stub[org.objectweb.jeremie.libs.stub_factories.std.R
> efImpl[0.0.0.0:3005:974131589930(remote)]]
>
> One possible clue here is that RefImpl.toString() is reporting an IP
> address of 0.0.0.0, which doesn't seem right. I presume that port 3005 is
> dynamically allocated by the jeremie runtime.
>
> Thanks,
> Joe
The "0.0.0.0" does indeed look wrong. Try using the property
"-Djonathan.tcpip.verbose=true" when you run java to trace out
the ports and host names discovered/allocated by the runtime.
On the server side, in case the runtime can't for some reason
figure out the local address (maybe a security problem?), try
using "-Djonathan.tcpip.localhost=<IP address>" with the IP address
of the server filled in manually, and see whether that works.
Kathleen
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
