Re: Please help me to understand JAAS login for stanalone cilent

Thu, 23 Aug 2007 03:28:43 -0700 

Hi David & David,

Thank you for your answers. I can't switch to 2.0.1 right now, I have
a task to use WebSphere Application Server Community Edition which is currently based on Geronimo 1.1.1. Okay, I will do some fak.. *cough* workaround for now and will return to this later, when WAS CE will move to Geronimo 2.0. 

Thanks,
Oleg

David Jencks wrote:

IIRC there was a way to do a remote login from a non-j2ee app client in 
1.1 but it was very hard and I don't remember how to get it to work.



Can you switch to 2.0.1?  I'm not sure if the jndi security parameters 
will result in a successful login but I think you can use the 
OpenejbRemoteLoginModule to do a remote login over the openejb protocol 
and this should save a token in the client that identifies the server 
Subject.  I don't know if anyone has tested this with a non-ee client 
but I don't know of any reason it shouldn't work.  Maybe david blevins 
has more of an idea if anything else needs to be configured in the 
client.  You would need the geronimo-openejb jar in the client's 
classpath along with the openejb client jar.


thanks
david jencks

On Aug 22, 2007, at 9:24 AM, David Blevins wrote:


Hi Oleg,

This feature was added to the standalone client in Geronimo 2.0.

-David

On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:


Hi All,

I am trying to set up JAAS login for standalone client.

On server I have successfully deployed EAR with the following 
security section in geronimo-application.xml:


    <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1";>
        <default-principal realm-name="irbis">

            <principal 
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" 


                        name="anonymous"/>
        </default-principal>
        <role-mappings>
            <role role-name="user">
                <realm realm-name="irbis">
                    <principal name="user"

class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> 


                </realm>
            </role>
        </role-mappings>
    </security>

    <gbean name="irbis"
        class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <attribute name="realmName">irbis</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <reference name="LoginService">
            <name>JaasLoginService</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">

            <login-config 
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-1.1";>
                <login-module control-flag="REQUIRED" 
server-side="true" wrap-principals="true">

                    <login-domain-name>irbis</login-domain-name>

<login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module-class> 


                </login-module>
            </login-config>
        </xml-reference>
    </gbean>

Client code:

LoginContext lc = new LoginContext("irbis", _callbackHandler);
lc.login();

...

Properties props = new Properties();

props.setProperty("java.naming.factory.initial",
                  "org.openejb.client.RemoteInitialContextFactory");
props.setProperty("java.naming.provider.url", "localhost:4201");
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
UserRegistryHome regHome = (UserRegistryHome)
               PortableRemoteObject.narrow(ic.lookup("<bean jndi name>",
               UserRegistryHome.class);


The first piece of code with lc.login() works fine, server login 
module is invoked. But I am not sure that Geronimo stores the 
principal and the credentials from the login somewhere in order use 
them later during bean methods invocation (as JBoss does). Probably 
this piece of code is useless for Geronimo, right?
So I provide principal and credentials during JNDI lookup() as 
Geronimo documentation suggests. I hoped they were somehow 
transferred to server LoginModule. But they are not. Instead I am 
getting the following exception:



java.rmi.AccessException: access denied 
(javax.security.jacc.EJBMethodPermission 
core.user.registry.UserRegistry create,Home,)
        at 
org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:106) 

        at 
org.openejb.security.EJBRunAsInterceptor.invoke(EJBRunAsInterceptor.java:85) 

        at 
org.openejb.slsb.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:98) 

        at 
org.openejb.transaction.ContainerPolicy$TxSupports.invoke(ContainerPolicy.java:198) 

        at 
org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80) 

        at 
org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82) 

        at 
org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549) 

        at 
org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
        at 
org.openejb.server.ejbd.EjbRequestHandler.invoke(EjbRequestHandler.java:297) 

        at 
org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE(EjbRequestHandler.java:342) 

        at 
org.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:206) 


        at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:150)
        at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:87)

        at 
org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$$d379d2ff.invoke(<generated>) 


        at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)

        at 
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38) 

        at 
org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:122) 

        at 
org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:817) 

        at 
org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
        at 
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35) 

        at 
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96) 

        at 
org.activeio.xnet.ServerService$$EnhancerByCGLIB$$6635a4ab.service(<generated>) 


        at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
        at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)

        at 
org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:172)
        at 
org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:289) 

        at 
EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown 
Source)

        at java.lang.Thread.run(Thread.java:595)


Under debugger I see that inside EJBSecurityInterceptor the wrong 
Subject is used, it's "anonymous", which is declared as 
default-principal, and not "admin", which is passed to JNDI context.

What am I doing wrong?

Thanks in advance,
Oleg

































					Reply via email to