[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?

2007-03-14 Thread eschulma
Those two items would do what I need.  I assume that getUserPrincipal() returns 
the same value as getCallerPrincipal()?

I guess you could try playing around with web.xml and see if the authentication 
allows you to access protected resources.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4028108#4028108

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4028108
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?

2007-03-12 Thread eschulma
You guys rock.  :-)

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4027291#4027291

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4027291
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: Unexpected Principal (Security Identity) Propagation Swi

2007-03-12 Thread eschulma
This was a configuration error on my part -- it was actually failing (in a 
non-obvious way) on the first call as well.  Please ignore.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4027294#4027294

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4027294
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Unexpected Principal (Security Identity) Propagation Switch

2007-02-27 Thread eschulma
I am experiencing a similar (identical?) bug that was reported in 
http://jira.jboss.com/jira/browse/JBAS-1852?page=com.cenqua.fisheye.jira:fisheye-tabpanel
 and reported fixed in JBoss 4.0.3.  

I access a session bean twice from the web tier, as an unauthenticated user.  
The session bean function is basically a wrapper to 
ctx.isCallerInRole(roleName).  On the second time that function is called I get

javax.security.auth.login.FailedLoginException: No matching username found in 
Principals

On the first call, there is no problem.  Setting the unauthenticatedIdentity 
option does not help.

I have tried both 4.0.4GA and 4.0.5GA and the problem is still there.  I wanted 
to do a sanity check before filing a JIRA report.  Any comments?

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4023301#4023301

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4023301
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?

2007-02-09 Thread eschulma
Unfortunately...I don't think there has to be a way, that is the problem.  
The servlet spec does not require it.

If you use one of Tomcat's authentication methods -- basic, form, etc. -- the 
credentials carry through very nicely and it is all wonderful.  JBoss provides 
a way from Tomcat - EJB layer but not vice-versa.

I am using AOP security and after the complexity of getting that running right, 
I'm very pleased.  I think this will do everything needed, one can protect any 
function with it.  You will need a JaasLoginFilter or equivalent for the web 
layer, plus stuffing username/password into session.

If you absolutely must do it with Tomcat, realize it's a Tomcat issue -- a 
custom Valve or Realm might work.  But I think that would be extremely fragile 
with respect to upgrades.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4013922#4013922

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4013922
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?

2007-02-06 Thread eschulma
After a lot of time spent on this, the issue seems to be Tomcat (or arguably 
the Servlet specification) more than JBoss.   A variant on the JassLoginFilter 
in the How-To works fine for accessing JBoss resources.  Also as mentioned in 
the FAQ, #21.  But there seems to be no straightforward way to log in to the 
Tomcat container programmatically, it is necessary to use web.xml and 
j_security_check etc.  From what I can see online I'm not alone in my desire to 
find another way.

It is very nice that WebLogic and Sun provide convenience classes for this 
purpose.  I can see though that doing this is arguably outside the scope of the 
application server.

At this point, I'm just going to use EJB/POJO security as provided by JBoss, 
and ignore things like Struts role-based security.  Maybe the servlet spec will 
have this someday.  :-)

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4012142#4012142

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4012142
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?

2007-01-26 Thread eschulma
Could you post more details on solving the first part of the question?  I have 
reviewed the documentation many times, and I am comfortable in dealing with 
MBeans, but I don't see how to get a handle to the Realm involved which I think 
is what is needed.

I know a filter would also work but that really seems like overkill.

I am seriously tempted to just copy the relevant code from here:

http://fisheye5.cenqua.com/browse/~raw,r=1.5/glassfish/appserv-core/src/java/com/sun/web/security/WebProgrammaticLogin.java

but that seems like a pretty ugly hack.

I would be very, very grateful for any suggestions.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4006922#4006922

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4006922
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: Calling LoginModule in JBoss

2007-01-25 Thread eschulma
I would be extremely interested in learning this as well.  I would prefer to 
avoid using j_security_check.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4006669#4006669

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4006669
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml

2007-01-23 Thread eschulma
I have the identical problem with JBoss 4.0.4, and I do have the correct DTD.  
The only way I can get JBoss to see my application policy is if I call it 
jboss.web in login-config.xml -- I noticed that I get a message

[JAASRealm] Set JAAS app name jboss.web

every time I start my app.  

Trying to do things the right way, I have for my login-config.xml:


  | ?xml version='1.0'?
  | !DOCTYPE policy PUBLIC
  |   -//JBoss//DTD JBOSS Security Config 3.0//EN
  |   http://www.jboss.org/j2ee/dtd/security_config.dtd;
  | 
  | !-- The XML based JAAS login configuration read by the
  | org.jboss.security.auth.login.XMLLoginConfig mbean. Add
  | an application-policy element for each security domain.
  | 
  | The outline of the application-policy is:
  | application-policy name=security-domain-name
  |   authentication
  | login-module code=login.module1.class.name flag=control_flag
  |   module-option name = option1-nameoption1-value/module-option
  |   module-option name = option2-nameoption2-value/module-option
  |   ...
  | /login-module
  | 
  | login-module code=login.module2.class.name flag=control_flag
  |   ...
  | /login-module
  | ...
  |   /authentication
  | /application-policy
  | 
  | --
  | 
  | policy
  | !-- Used by clients within the application server VM such as
  | mbeans and servlets that access EJBs.
  | --
  | application-policy name = client-login
  |authentication
  |   login-module code = org.jboss.security.ClientLoginModule
  |  flag = required
  |  !-- Any existing security context will be restored on logout 
--
  |  module-option 
name=restore-login-identitytrue/module-option
  |   /login-module
  |/authentication
  | /application-policy
  | 
  | !-- Security domain for JBossMQ --
  | application-policy name = jbossmq
  |authentication
  |   login-module code = 
org.jboss.security.auth.spi.DatabaseServerLoginModule
  |  flag = required
  |  module-option name = 
unauthenticatedIdentityguest/module-option
  |  module-option name = 
dsJndiNamejava:/DefaultDS/module-option
  |  module-option name = principalsQuerySELECT PASSWD FROM 
JMS_USERS WHERE USERID=?/module-option
  |  module-option name = rolesQuerySELECT ROLEID, 'Roles' FROM 
JMS_ROLES WHERE USERID=?/module-option
  |   /login-module
  |/authentication
  | /application-policy 
  | 
  | !-- Security domain for JBossMQ when using file-state-service.xml
  | application-policy name = jbossmq
  |authentication
  |   login-module code = org.jboss.mq.sm.file.DynamicLoginModule
  |  flag = required
  |  module-option name = 
unauthenticatedIdentityguest/module-option
  |  module-option name = 
sm.objectnamejboss.mq:service=StateManager/module-option
  |   /login-module
  |/authentication
  | /application-policy
  | --
  | 
  | !-- Security domains for testing new jca framework --
  | application-policy name = HsqlDbRealm
  |authentication
  |   login-module code = 
org.jboss.resource.security.ConfiguredIdentityLoginModule
  |  flag = required
  |  module-option name = principalsa/module-option
  |  module-option name = userNamesa/module-option
  |  module-option name = password/module-option
  |  module-option name = 
managedConnectionFactoryNamejboss.jca:service=LocalTxCM,name=DefaultDS/module-option
  |   /login-module
  |/authentication
  | /application-policy
  | 
  | application-policy name = JmsXARealm
  |authentication
  |   login-module code = 
org.jboss.resource.security.ConfiguredIdentityLoginModule
  |  flag = required
  |  module-option name = principalguest/module-option
  |  module-option name = userNameguest/module-option
  |  module-option name = passwordguest/module-option
  |  module-option name = 
managedConnectionFactoryNamejboss.jca:service=TxCM,name=JmsXA/module-option
  |   /login-module
  |/authentication
  | /application-policy
  | 
  | !-- A template configuration for the jmx-console web application. This
  |   defaults to the UsersRolesLoginModule the same as other and should be
  |   changed to a stronger authentication mechanism as required.
  | --
  | application-policy name = jmx-console
  |authentication
  |   login-module 
code=org.jboss.security.auth.spi.UsersRolesLoginModule
  |  flag = required
  |module-option 
name=usersPropertiesprops/jmx-console-users.properties/module-option
  |module-option 
name=rolesPropertiesprops/jmx-console-roles.properties/module-option
  |   /login-module
  |

[jboss-user] [Security JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml

2007-01-23 Thread eschulma
As usual, after banging my head so long that I finally decide to post, the 
solution comes shortly afterward.

The main problem appears to have been that I had commented out some lines in 
the Tomcat SAR server.xml that refer to JAAS when JBoss was first installed, 
over 6 months ago.  Not sure *why* I did that to begin with, but reverting back 
basically solved the problem, at least with respect to the web side of things.

It looks as though the security domain is first loaded into JNDI when an 
attempt is made to access the restricted web pages.

However, it still does not work for EJBs -- if I refer to the security domain 
in jboss.xml, the EJB deployments fail with the message Unable to find 
security domain.  Presumably though this is a dependency issue, and will be 
easier to solve (I hope).


View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4005483#4005483

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4005483
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Security JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml

2007-01-23 Thread eschulma
And the final fix -- I should have put

java:/jaas/webappDomain

in jboss.xml rather than 

java:jaas/webappDomain

Both forms actually work for jboss-web.xml, which is a little surprising.

Hope this helps someone.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=4005488#4005488

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4005488
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [JBoss Getting Started Documentation] - Re: PluggableInstrumentor

2006-12-18 Thread eschulma
That doesn't work.   You need to download the AOP package (separate from the 
main AS), and use the jars from there:

This Wiki entry shows how:

http://labs.jboss.com/portal/index.html?ctrl:cmd=renderctrl:window=default.wiki.WikiPortletWindowpage=ConfiguringAopLoadtimeWeavinglanguage=EN[/url]

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3994812#3994812

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3994812
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[jboss-user] [Installation, Configuration Deployment] - Re: Web console not present in 4.0.4 ejb3 clustered installa

2006-07-21 Thread eschulma
OK, it isn't installed by default; I ran the all installation and was able to 
copy over the necessary files from there.

View the original post : 
http://www.jboss.com/index.html?module=bbop=viewtopicp=3960053#3960053

Reply to the post : 
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3960053
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user