On Jun 19, 2009, at 6:44 AM, kistler wrote:
Hello,
I'm currently developing an Enterprise application which Comprises
of a
servlet and ejb for Geronimo 2.1 and I have secured the Ejb with a
Security
Realm configured to authenticate against a SQLLoginModule. I'm
confident
that this is authenticating correctly as I have done negative and
positive
testing.
I'm testing my ejb my connecting to it from a servlet as follows:
CallbackHandler handler = new
UserIdPasswordCallbackHandler(user,
password);
LoginContext ctx = new LoginContext("SecurityRealm",handler);
ctx.login();
This succeeds when supplied the correct credentials and throws
exceptions
with invalid credentials.
I assume this is a standalone test not part of your application?
Doing this will not tell geronimo anything about the Subject you have
created and your ejb will not be secured from the servlet.
I obtain a reference to the remote interface as follows:
Properties prop=new Properties();
prop.put(Context.INITIAL_CONTEXT_FACTORY,
"org.apache.openejb.client.RemoteInitialContextFactory");
prop.put("java.naming.provider.url",
"ejbd://localhost:4201");
Context context = new InitialContext(prop);
Object o = context.lookup("SessionManagerBeanRemote");
SessionManagerRemote remote = (SessionManagerRemote)o;
This works correctly as I am able to call my remote ejb methods!
yes, and there is no security in place. If you are calling from the
servlet you did the test login from, the Subject info will not be
propagated to the ejb container.
Now - the piece I am missing is I need to be able to obtain the
current
Subject that was authenticated. ie - I need to know the identity of
the
user that has been authenticated to use this ejb and is invoking
it. So if
joe was authenticated to use the SessionManager - I need to be able to
obtain joe's login name.
You probably want first to set up container managed security. Easiest
is to use one of the built in authentication methods for the web app.
If you don't like this, you should call one of the geronimo
ContextManager.login methods for your login and then
Callers oldCallers = ContextManager.setCallers(subject, subject);
try {
//do secured stuff like calling the ejb
} finally {
ContextManager.popCallers(oldCallers);
}
Or if you are adventurous you can use (unreleased) geronimo 2.2 +
jetty7 with a jaspic authentication module.
At this point, Juergens suggestion of using
sessionContext.getCallerPrincipal() in the ejb will work.
thanks
david jencks
I believe if I was within a web container I'd be able to use the
equivalent
of: HttpServletRequest.getUserPrincipal() ... Can someone point me
to a
reference, decently documented example or something that will tell
me what
API I need to use? I'm happy to do some reading but I've looked
around
quite a bit and I think I might be missing something... There
doesn't seem
to be a clear reference to this is the standard geronimo
documentation -
only some lite discussion for web containers.
Thanks in advance!
-Keith
--
View this message in context:
http://www.nabble.com/Trouble-obtaining-JaaS-login-context-from-within-EJB-tp24111796s134p24111796.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
