Ahoj, ja bud pouzivam web authetikaci pres
<form method="post" id="j_security_check" action="j_security_check"> kde JBoss (Tomcat) ma nejaky svuj handler pro "j_security_check" uri a zaridi login, nebo pouzivam org.jboss.web.tomcat.security.login.WebAuthentication tridu. Myslim, ze LoginContext.login nelze pouzit tak, jak ho pouzivas. Ostatne koukni se do zdrojaku WebAuthentication tridy. -- Ondra Medek On Tue, Dec 7, 2010 at 16:34, Jaroslav Cibulka <[email protected]> wrote: > Ahoj, vsichni, > > na j2ee projektu se snazim zavest authentication + authorization/role > management, kde uzivatele a role jsou definovani v LDAPu. Protoze jde o > ciste enterprise projekt deployovany na JBoss AS, rozhodl jsem pouzit JAAS s > implementaci nabizenou JBoss serverem. Mym cilem je overeni uzivatele proti > LDAPu a nasledne pouzivani autorizacnich anotaci na EJB (@RollesAllowed()) a > webove vrstve (request.isUserInRole()). > > Samotny login proti LDAPu s pomoci > org.jboss.security.auth.spi.LdapExtLoginModule se mi podaril celkem snadno. > Spravne se overi heslo a k uzivateli se dotahnou jeho role. > > Co se mi ale ani za nic nedari, je Subject resp. Principal ziskany pri > loginu pouzit pri volani EJB metod a pristupu na webove stranky. Mam pocit, > ze misto toho, aby se mi Subject zpropagoval do EJBContext a ServletContext, > po loginu se proste zahodi. > > Hledani na Googlu a v odpovidajici literature mi rika jen, ze by vsechno > melo fungovat spravne. Jenze nefunguje. > Dokazete mi, prosim, nekdo poradit, co delam spatne? > > Diky, > > C. > > --------------------------------------------------------------------- > Nastaveni login-config.xml: > > <policy> > <application-policy name="localLdapPolicy"> > <authentication> > <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" > flag="required" > > <module-option > name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> > <module-option > name="java.naming.provider.url">ldap://localhost:10389</module-option> > <module-option > name="java.naming.security.authentication">simple</module-option> > <module-option name="bindDN">uid=admin,ou=system</module-option> > <module-option name="bindCredential">secret</module-option> > <module-option > name="baseCtxDN">ou=People,dc=example,dc=com</module-option> > <module-option name="baseFilter">(uid={0})</module-option> > <module-option > name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option> > <module-option name="roleFilter">(member={1})</module-option> > <module-option name="roleAttributeID">cn</module-option> > <module-option name="searchScope">ONELEVEL_SCOPE</module-option> > <module-option name="allowEmptyPasswords">false</module-option> > </login-module> > </authentication> > </application-policy> > </policy> > > --------------------------------------------------------------------- > descriptor xxx-ejb.jar/META-INF/jboss.xml : > > <jboss> > <security-domain>localLdapPolicy</security-domain> > </jboss> > > -------------------------------------------------------------------- > descriptor xxx.war/WEB-INF/jboss-web.xml > > <jboss-web> > <context-root>/LDAPLoginTestFacade</context-root> > <security-domain>java:/jaas/localLdapPolicy</security-domain> > </jboss-web> > > --------------------------------------------------------------------- > Servlet, ktery prijme jmeno/heslo zadane uzivatelem a pokusi se o login: > > public class LoginServlet extends HttpServlet { > > static final Logger logger = > Logger.getLogger(LoginServlet.class.getName()); > > @EJB(beanName = "LoginFacade") > LoginFacadeLocal loginFacade; > > @EJB(beanName = "TestService") > TestServiceLocal testService; > > protected void processRequest(HttpServletRequest request, > HttpServletResponse response) > throws ServletException, IOException { > > try { > String user = request.getParameter("j_username"); > String password = request.getParameter("j_password"); > > logger.info("logging user="+user+",pass="+password); > > testEJBmethods(); // podle ocekavani vyhodi chybu (uzivatel neni > prihlasen) > > loginFacade.login(user, password); // prihlaseni uspesne > probehne > > testEJBmethods(); // podle ocekavani by melo projit, ale pada, > protoze Principal se neni asociovany s kontextem aplikace (viz. log) > > logger.info("Session id="+request.getSession().getId()); > > if (request.isUserInRole("Admins")){ > logger.info("User has Admins role"); > } > > if (request.getUserPrincipal() != null) { > logger.info("User logged in : "+ > request.getUserPrincipal().getName()); > } > > response.sendRedirect(this.getServletContext().getContextPath() > + "/index.jsp"); > > } catch (LoginException ex) { > logger.fatal("JAAS Login Failed: " + ex); > response.sendRedirect(this.getServletContext().getContextPath() > + "/login.jsp"); > } > } > > private void testEJBmethods() { > > try { > // bean method with @AllowedRoles("Operators") > testService.testOperators(); > } catch (EJBAccessException ex) { > logger.error("testOperators access failed " + ex); > } > > try { > // bean method with @AllowedRoles("Admins") > testService.testAdmins(); > } catch (EJBAccessException ex) { > logger.error("testAdmin access failed " + ex); > } > } > } > > --------------------------------------------------------------------- > Beana provadejici autentizaci oproti LDAPu (ta probehne uspesne) > > > @Stateless > public class LoginFacade implements LoginFacadeLocal{ > static Logger logger = Logger.getLogger(LoginFacade.class.getName()); > > @PermitAll > public void login(String user, String password) throws LoginException { > > CallbackHandler handler = new UserPassHandler(user, password); > > LoginContext lc = new LoginContext("localLdapPolicy", handler); > lc.login(); > > > Subject subject = lc.getSubject(); > if (subject != null) { > logger.info("Subject retrieved: " + subject); > } > } > } > --------------------------------------------------------------------- > server.log: > > 2010-12-07 15:12:31,406 TRACE > [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) > Begin getAppConfigurationEntry(localLdapPolicy), size=11 > 2010-12-07 15:12:31,406 TRACE > [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End > getAppConfigurationEntry(localLdapPolicy), authInfo=AppConfigurationEntry[]: > [0] > LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule > ControlFlag: LoginModuleControlFlag: required > Options: > name=baseFilter, value=(uid={0}) > name=java.naming.security.authentication, value=simple > name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory > name=allowEmptyPasswords, value=false > name=roleFilter, value=(member={1}) > name=bindCredential, value=**** > name=bindDN, value=uid=admin,ou=system > name=java.naming.provider.url, value=ldap://localhost:10389 > name=rolesCtxDN, value=ou=Roles,dc=example,dc=com > name=baseCtxDN, value=ou=People,dc=example,dc=com > name=searchScope, value=ONELEVEL_SCOPE > name=roleAttributeID, value=cn > > 2010-12-07 15:12:31,422 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) > initialize > 2010-12-07 15:12:31,422 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) > Security domain: localLdapPolicy > 2010-12-07 15:12:31,422 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) login > 2010-12-07 15:12:31,453 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) > Assign user to role Admins > 2010-12-07 15:12:31,469 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) > Assign user to role Operators > 2010-12-07 15:12:31,469 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) User > 'admin' authenticated, loginOk=true > 2010-12-07 15:12:31,469 TRACE > [org.jboss.security.auth.spi.LdapExtLoginModule] (http-0.0.0.0-8080-1) > commit, loginOk=true > 2010-12-07 15:12:31,469 ERROR [STDERR] (http-0.0.0.0-8080-1) 7.12.2010 > 15:12:31 com.example.facade.LoginFacade login > INFO: Subject retrieved: Subject: > Principal: admin > Principal: Roles(members:Operators,Admins) > 2010-12-07 15:12:31,469 ERROR [STDERR] (http-0.0.0.0-8080-1) 7.12.2010 > 15:12:31 com.example.facade.LoginFacade login > INFO: Principal retrieved: admin > 2010-12-07 15:12:31,469 ERROR [STDERR] (http-0.0.0.0-8080-1) 7.12.2010 > 15:12:31 com.example.facade.LoginFacade login > INFO: Principal retrieved: Roles(members:Operators,Admins) > 2010-12-07 15:12:31,469 DEBUG > [org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase] > (http-0.0.0.0-8080-1) Couldn't handle invocation directly within > org.jboss.ejb3.proxy.handler.session.stateless.statelesslocalproxyinvocationhand...@393f3c: > Current invocation "public abstract void > com.example.facade.TestServiceLocal.testOperators()" is not eligible for > direct handling by > org.jboss.ejb3.proxy.handler.session.stateless.statelesslocalproxyinvocationhand...@393f3c > 2010-12-07 15:12:31,469 DEBUG > [org.jboss.ejb3.common.registrar.plugin.mc.Ejb3McRegistrar] > (http-0.0.0.0-8080-1) Returning from name > "jboss.j2ee:ear=LDAPLoginTestFacade.ear,jar=LDAPLoginTestFacade-ejb.jar,name=TestService,service=EJB3": > jboss.j2ee:ear=LDAPLoginTestFacade.ear,jar=LDAPLoginTestFacade-ejb.jar,name=TestService,service=EJB3 > 2010-12-07 15:12:31,484 TRACE [org.jboss.security.SecurityRolesAssociation] > (http-0.0.0.0-8080-1) Setting threadlocal:{} > 2010-12-07 15:12:31,484 TRACE > [org.jboss.security.plugins.authorization.JBossAuthorizationContext] > (http-0.0.0.0-8080-1) Control flag for > entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] > 2010-12-07 15:12:31,500 TRACE > [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] > (http-0.0.0.0-8080-1) method=public void > com.example.facade.TestService.testOperators(), interface=Local, > requiredRoles=Roles(Operators,) > 2010-12-07 15:12:31,500 TRACE > [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] > (http-0.0.0.0-8080-1) Exception:Insufficient method permissions, > principal=null, ejbName=TestService, method=testOperators, interface=Local, > requiredRoles=Roles(Operators,), principalRoles=Roles() > 2010-12-07 15:12:31,500 TRACE > [org.jboss.security.plugins.authorization.JBossAuthorizationContext] > (http-0.0.0.0-8080-1) REQUIRED failed for > Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject: > Principal: anonymous > :role=Roles() > 2010-12-07 15:12:31,500 TRACE > [org.jboss.security.plugins.authorization.JBossAuthorizationContext] > (http-0.0.0.0-8080-1) Error in authorize: > org.jboss.security.authorization.AuthorizationException: Authorization > Failed: > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263) > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67) > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152) > at java.security.AccessController.doPrivileged(Native Method) > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148) > at > org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) > at > org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124) > at > org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116) > at > org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189) > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) > at > org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186) > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) > at > org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) > at > org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) > at > org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) > at > org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) > at > org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:219) > at > org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase.invoke(ProxyInvocationHandlerBase.java:261) > at > org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:101) > at $Proxy135.testOperators(Unknown Source) > at com.example.LoginServlet.testEJBmethods(LoginServlet.java:84) > at com.example.LoginServlet.processRequest(LoginServlet.java:61) > ... > 2010-12-07 15:12:31,500 TRACE > [org.jboss.security.plugins.javaee.EJBAuthorizationHelper] > (http-0.0.0.0-8080-1) Error in authorization: > org.jboss.security.authorization.AuthorizationException: Authorization > Failed: > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263) > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67) > at > org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152) > .... > 2010-12-07 15:12:31,500 TRACE > [org.jboss.security.audit.providers.LogAuditProvider] (http-0.0.0.0-8080-1) > [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization > Failed: > ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextmap={policyregistration=org.jboss.security.plugins.jbosspolicyregistrat...@148b6d3}:method=public > void > com.example.facade.TestService.testOperators():ejbMethodInterface=Local:ejbName=TestService:ejbPrincipal=null:MethodRoles=Roles(Operators,):securityRoleReferences=null:callerSubject=Subject: > Principal: anonymous > :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyregistration=org.jboss.security.plugins.jbosspolicyregistrat...@148b6d3; > 2010-12-07 15:12:31,500 ERROR [com.example.LoginServlet] > (http-0.0.0.0-8080-1) testOperators access failed > javax.ejb.EJBAccessException: Caller unauthorized > 2010-12-07 15:12:31,625 DEBUG > [org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase] > (http-0.0.0.0-8080-1) Couldn't handle invocation directly within > org.jboss.ejb3.proxy.handler.session.stateless.statelesslocalproxyinvocationhand...@393f3c: > Current invocation "public abstract void > com.example.facade.TestServiceLocal.testAdmins()" is not eligible for direct > handling by > org.jboss.ejb3.proxy.handler.session.stateless.statelesslocalproxyinvocationhand...@393f3c >
