On Sep 5, 2009, at 8:40 AM, Quintin Beukes wrote:
My oh my this week has given me headaches. I went through hundreds
of lines of code for both geronimo and OpenEJB, and I can't seem to
figure out why this isn't working. From what I've found on the
internet it should work (unless I'm missing something).
OK. So I have this EJB:
@Stateless
@DeclareRoles( { "Admin" })
@RolesAllowed( { "Admin" })
public class TestBean implements TestRemote, TestLocal
{
@Resource
private SessionContext sessionCtx;
public String getInfo()
{
Principal p = sessionCtx.getCallerPrincipal();
StringBuilder sb = new StringBuilder();
sb.append("\n").append("Principal: " + p.getName() + " - type: "
+ p.getClass().getCanonicalName());
return sb.toString();
}
}
getInfo() is a Remote method.
Then it's deploy plan contains:
<security doas-current-called="true" default-role="Admin">
</security>
And I do a remote lookup as follows:
Properties p = new Properties();
p.put("java.naming.factory.initial",
"org.apache.openejb.client.RemoteInitialContextFactory");
p.put("java.naming.provider.url", "ejbd://localhost:4201");
// user and pass optional
p.put("openejb.authentication.realmName", "KMSRealm");
p.put("java.naming.security.principal", "quintin");
p.put("java.naming.security.credentials", "pass");
InitialContext ctx = new InitialContext(p);
TestRemote myBean = (TestRemote) ctx.lookup("TestBeanRemote");
String info = myBean.getInfo();
When I run the code I get an: Exception in thread "main"
javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
So, I remove the security definitions from the EJB and it's deploy
plan, the method executes, and the Principal it returns is
UnauthenticatedPrincipal.
KMSRealm is a server wide SQLLoginModule realm defined in the
geronimo console. I know the login works, because changing the
InitialContext credentials causes the login to fail. So all this
works.
I am basically trying to login via EJB, and then be able to do two
things (1) define authorizations on the EJBs/methods (2) Retrieve
the Subject/Principal. Both of these are very important.
You need to map the prinicpal from the login module to the roles in
your app, in your <security> element. Can you show what you have for
this?
I've also tried replacing my <security> element in the deploy plan
to this:
<security>
<default-subject>
<realm>KMSRealm</realm>
<id>quintin</id>
</default-subject>>
</security>
If you use something like this you also need to set up a credential
store that will log into your realm to get the Subject you are trying
to specify here.
But then I get the following when deploying:
Error: Operation failed: start of kms/KMSPlatform-ejb/1.0/jar
failed
Unknown start exception
Configuration kms/KMSPlatform-ejb/1.0/jar failed to
start due to
the following reasons:
The service
EJBModule=kms/KMSPlatform-ejb/1.0/
jar
,J2EEApplication=null,j2eeType=StatelessSessionBean,name=PersonnelBean
did not start because
kms/KMSPlatform-ejb/1.0/jar?EJBModule=kms/KMSPlatform-ejb/1.0/
jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager
did not start.
The service
EJBModule=kms/KMSPlatform-ejb/1.0/
jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=TestBean
did not start because
kms/KMSPlatform-ejb/1.0/jar?EJBModule=kms/KMSPlatform-ejb/1.0/
jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager
did not start.
The service
EJBModule=kms/KMSPlatform-ejb/1.0/
jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager
did not start because Unknown realm: KMSRealm
I am up to my head in frustration. I gave Geronimo a try on a redev
of a project, but what took me about half a day to setup on
Glassfish has now taken me a week. Can anyone please help me out,
because I really want to have Geronimo's benefits in my applications.
i have to run now, if these hints don't get you farther let us know
and I'll try to be more detailed. I think there is some documentation
at least in the 2.2 docs for both of these. If they are hard to find
and you can think of better ways to get to them please let us know.
thanks
david jencks
--
Quintin Beukes
