David, do you know if the SecurityProvider in Geronimo will supply a
default value of realm when plain user/pass login is done?
If so than JNDI login as follows should work:
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
As well the ClientLoginModule built into the openejb-client jar.
And I'll go on record again saying I think supporting realm as a
"namespace" in the username is a nice non-required feature. Then you
could support:
props.setProperty("java.naming.security.principal", "irbis:admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
Could even make the separator configurable in the server.
-David
On Aug 22, 2007, at 2:44 PM, David Jencks wrote:
IIRC there was a way to do a remote login from a non-j2ee app
client in 1.1 but it was very hard and I don't remember how to get
it to work.
Can you switch to 2.0.1? I'm not sure if the jndi security
parameters will result in a successful login but I think you can
use the OpenejbRemoteLoginModule to do a remote login over the
openejb protocol and this should save a token in the client that
identifies the server Subject. I don't know if anyone has tested
this with a non-ee client but I don't know of any reason it
shouldn't work. Maybe david blevins has more of an idea if
anything else needs to be configured in the client. You would need
the geronimo-openejb jar in the client's classpath along with the
openejb client jar.
thanks
david jencks
On Aug 22, 2007, at 9:24 AM, David Blevins wrote:
Hi Oleg,
This feature was added to the standalone client in Geronimo 2.0.
-David
On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
Hi All,
I am trying to set up JAAS login for standalone client.
On server I have successfully deployed EAR with the following
security section in geronimo-application.xml:
<security xmlns="http://geronimo.apache.org/xml/ns/
security-1.1">
<default-principal realm-name="irbis">
<principal
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrin
cipal"
name="anonymous"/>
</default-principal>
<role-mappings>
<role role-name="user">
<realm realm-name="irbis">
<principal name="user"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPri
ncipal"/>
</realm>
</role>
</role-mappings>
</security>
<gbean name="irbis"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">irbis</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<reference name="LoginService">
<name>JaasLoginService</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<login-config xmlns="http://geronimo.apache.org/xml/
ns/loginconfig-1.1">
<login-module control-flag="REQUIRED" server-
side="true" wrap-principals="true">
<login-domain-name>irbis</login-domain-name>
<login-module-
class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-
module-class>
</login-module>
</login-config>
</xml-reference>
</gbean>
Client code:
LoginContext lc = new LoginContext("irbis", _callbackHandler);
lc.login();
...
Properties props = new Properties();
props.setProperty("java.naming.factory.initial",
"org.openejb.client.RemoteInitialContextFactory");
props.setProperty("java.naming.provider.url", "localhost:4201");
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
UserRegistryHome regHome = (UserRegistryHome)
PortableRemoteObject.narrow(ic.lookup("<bean jndi
name>",
UserRegistryHome.class);
The first piece of code with lc.login() works fine, server login
module is invoked. But I am not sure that Geronimo stores the
principal and the credentials from the login somewhere in order
use them later during bean methods invocation (as JBoss does).
Probably this piece of code is useless for Geronimo, right?
So I provide principal and credentials during JNDI lookup() as
Geronimo documentation suggests. I hoped they were somehow
transferred to server LoginModule. But they are not. Instead I am
getting the following exception:
java.rmi.AccessException: access denied
(javax.security.jacc.EJBMethodPermission
core.user.registry.UserRegistry create,Home,)
at org.openejb.security.EJBSecurityInterceptor.invoke
(EJBSecurityInterceptor.java:106)
at org.openejb.security.EJBRunAsInterceptor.invoke
(EJBRunAsInterceptor.java:85)
at org.openejb.slsb.StatelessInstanceInterceptor.invoke
(StatelessInstanceInterceptor.java:98)
at org.openejb.transaction.ContainerPolicy
$TxSupports.invoke(ContainerPolicy.java:198)
at
org.openejb.transaction.TransactionContextInterceptor.invoke
(TransactionContextInterceptor.java:80)
at org.openejb.SystemExceptionInterceptor.invoke
(SystemExceptionInterceptor.java:82)
at org.openejb.GenericEJBContainer
$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
at org.openejb.GenericEJBContainer.invoke
(GenericEJBContainer.java:238)
at org.openejb.server.ejbd.EjbRequestHandler.invoke
(EjbRequestHandler.java:297)
at
org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE
(EjbRequestHandler.java:342)
at
org.openejb.server.ejbd.EjbRequestHandler.processRequest
(EjbRequestHandler.java:206)
at org.openejb.server.ejbd.EjbDaemon.service
(EjbDaemon.java:150)
at org.openejb.server.ejbd.EjbServer.service
(EjbServer.java:87)
at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$
$d379d2ff.invoke(<generated>)
at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:
53)
at
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke
(FastMethodInvoker.java:38)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke
(GBeanOperation.java:122)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke
(GBeanInstance.java:817)
at org.apache.geronimo.gbean.runtime.RawInvoker.invoke
(RawInvoker.java:57)
at
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke
(RawOperationInvoker.java:35)
at
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept
(ProxyMethodInterceptor.java:96)
at org.activeio.xnet.ServerService$$EnhancerByCGLIB$
$6635a4ab.service(<generated>)
at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
at org.apache.geronimo.pool.ThreadPool$1.run
(ThreadPool.java:172)
at org.apache.geronimo.pool.ThreadPool
$ContextClassLoaderRunnable.run(ThreadPool.java:289)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor
$Worker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:595)
Under debugger I see that inside EJBSecurityInterceptor the wrong
Subject is used, it's "anonymous", which is declared as default-
principal, and not "admin", which is passed to JNDI context.
What am I doing wrong?
Thanks in advance,
Oleg
