Re: Please help me to understand JAAS login for stanalone cilent

Wed, 22 Aug 2007 14:44:38 -0700

IIRC there was a way to do a remote login from a non-j2ee app client in 1.1 but it was very hard and I don't remember how to get it to work.
Can you switch to 2.0.1? I'm not sure if the jndi security parameters will result in a successful login but I think you can use the OpenejbRemoteLoginModule to do a remote login over the openejb protocol and this should save a token in the client that identifies the server Subject. I don't know if anyone has tested this with a non-ee client but I don't know of any reason it shouldn't work. Maybe david blevins has more of an idea if anything else needs to be configured in the client. You would need the geronimo-openejb jar in the client's classpath along with the openejb client jar. 

thanks
david jencks

On Aug 22, 2007, at 9:24 AM, David Blevins wrote:


Hi Oleg,

This feature was added to the standalone client in Geronimo 2.0.

-David

On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:


Hi All,

I am trying to set up JAAS login for standalone client.

On server I have successfully deployed EAR with the following  
security section in geronimo-application.xml:


    <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1";>
        <default-principal realm-name="irbis">

            <principal  
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinc 
ipal"

                        name="anonymous"/>
        </default-principal>
        <role-mappings>
            <role role-name="user">
                <realm realm-name="irbis">
                    <principal name="user"

class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrin 
cipal"/>

                </realm>
            </role>
        </role-mappings>
    </security>

    <gbean name="irbis"

         
class="org.apache.geronimo.security.realm.GenericSecurityRealm">

        <attribute name="realmName">irbis</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <reference name="LoginService">
            <name>JaasLoginService</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">

            <login-config xmlns="http://geronimo.apache.org/xml/ns/ 
loginconfig-1.1">
                <login-module control-flag="REQUIRED" server- 
side="true" wrap-principals="true">

                    <login-domain-name>irbis</login-domain-name>

<login-module- 
class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module- 
class>

                </login-module>
            </login-config>
        </xml-reference>
    </gbean>

Client code:

LoginContext lc = new LoginContext("irbis", _callbackHandler);
lc.login();

...

Properties props = new Properties();

props.setProperty("java.naming.factory.initial",
                  "org.openejb.client.RemoteInitialContextFactory");
props.setProperty("java.naming.provider.url", "localhost:4201");
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
UserRegistryHome regHome = (UserRegistryHome)

               PortableRemoteObject.narrow(ic.lookup("<bean jndi  
name>",

               UserRegistryHome.class);


The first piece of code with lc.login() works fine, server login  
module is invoked. But I am not sure that Geronimo stores the  
principal and the credentials from the login somewhere in order  
use them later during bean methods invocation (as JBoss does).  
Probably this piece of code is useless for Geronimo, right?
So I provide principal and credentials during JNDI lookup() as  
Geronimo documentation suggests. I hoped they were somehow  
transferred to server LoginModule. But they are not. Instead I am  
getting the following exception:



java.rmi.AccessException: access denied  
(javax.security.jacc.EJBMethodPermission  
core.user.registry.UserRegistry create,Home,)
        at org.openejb.security.EJBSecurityInterceptor.invoke 
(EJBSecurityInterceptor.java:106)
        at org.openejb.security.EJBRunAsInterceptor.invoke 
(EJBRunAsInterceptor.java:85)
        at org.openejb.slsb.StatelessInstanceInterceptor.invoke 
(StatelessInstanceInterceptor.java:98)
        at org.openejb.transaction.ContainerPolicy 
$TxSupports.invoke(ContainerPolicy.java:198)
        at  
org.openejb.transaction.TransactionContextInterceptor.invoke 
(TransactionContextInterceptor.java:80)
        at org.openejb.SystemExceptionInterceptor.invoke 
(SystemExceptionInterceptor.java:82)
        at org.openejb.GenericEJBContainer 
$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
        at org.openejb.GenericEJBContainer.invoke 
(GenericEJBContainer.java:238)
        at org.openejb.server.ejbd.EjbRequestHandler.invoke 
(EjbRequestHandler.java:297)
        at  
org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE 
(EjbRequestHandler.java:342)
        at org.openejb.server.ejbd.EjbRequestHandler.processRequest 
(EjbRequestHandler.java:206)
        at org.openejb.server.ejbd.EjbDaemon.service 
(EjbDaemon.java:150)
        at org.openejb.server.ejbd.EjbServer.service 
(EjbServer.java:87)
        at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$ 
$d379d2ff.invoke(<generated>)

        at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)

        at  
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke 
(FastMethodInvoker.java:38)
        at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke 
(GBeanOperation.java:122)
        at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke 
(GBeanInstance.java:817)
        at org.apache.geronimo.gbean.runtime.RawInvoker.invoke 
(RawInvoker.java:57)
        at  
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke 
(RawOperationInvoker.java:35)
        at  
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept 
(ProxyMethodInterceptor.java:96)
        at org.activeio.xnet.ServerService$$EnhancerByCGLIB$ 
$6635a4ab.service(<generated>)

        at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
        at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)

        at org.apache.geronimo.pool.ThreadPool$1.run 
(ThreadPool.java:172)
        at org.apache.geronimo.pool.ThreadPool 
$ContextClassLoaderRunnable.run(ThreadPool.java:289)
        at EDU.oswego.cs.dl.util.concurrent.PooledExecutor 
$Worker.run(Unknown Source)

        at java.lang.Thread.run(Thread.java:595)


Under debugger I see that inside EJBSecurityInterceptor the wrong  
Subject is used, it's "anonymous", which is declared as default- 
principal, and not "admin", which is passed to JNDI context.

What am I doing wrong?

Thanks in advance,
Oleg




























					Reply via email to