[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?
Those two items would do what I need. I assume that getUserPrincipal() returns the same value as getCallerPrincipal()? I guess you could try playing around with web.xml and see if the authentication allows you to access protected resources. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4028108#4028108 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4028108 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?
You guys rock. :-) View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4027291#4027291 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4027291 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Unexpected Principal (Security Identity) Propagation Swi
This was a configuration error on my part -- it was actually failing (in a non-obvious way) on the first call as well. Please ignore. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4027294#4027294 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4027294 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Unexpected Principal (Security Identity) Propagation Switch
I am experiencing a similar (identical?) bug that was reported in http://jira.jboss.com/jira/browse/JBAS-1852?page=com.cenqua.fisheye.jira:fisheye-tabpanel and reported fixed in JBoss 4.0.3. I access a session bean twice from the web tier, as an unauthenticated user. The session bean function is basically a wrapper to ctx.isCallerInRole(roleName). On the second time that function is called I get javax.security.auth.login.FailedLoginException: No matching username found in Principals On the first call, there is no problem. Setting the unauthenticatedIdentity option does not help. I have tried both 4.0.4GA and 4.0.5GA and the problem is still there. I wanted to do a sanity check before filing a JIRA report. Any comments? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4023301#4023301 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4023301 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?
Unfortunately...I don't think there has to be a way, that is the problem. The servlet spec does not require it. If you use one of Tomcat's authentication methods -- basic, form, etc. -- the credentials carry through very nicely and it is all wonderful. JBoss provides a way from Tomcat - EJB layer but not vice-versa. I am using AOP security and after the complexity of getting that running right, I'm very pleased. I think this will do everything needed, one can protect any function with it. You will need a JaasLoginFilter or equivalent for the web layer, plus stuffing username/password into session. If you absolutely must do it with Tomcat, realize it's a Tomcat issue -- a custom Valve or Realm might work. But I think that would be extremely fragile with respect to upgrades. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4013922#4013922 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4013922 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?
After a lot of time spent on this, the issue seems to be Tomcat (or arguably the Servlet specification) more than JBoss. A variant on the JassLoginFilter in the How-To works fine for accessing JBoss resources. Also as mentioned in the FAQ, #21. But there seems to be no straightforward way to log in to the Tomcat container programmatically, it is necessary to use web.xml and j_security_check etc. From what I can see online I'm not alone in my desire to find another way. It is very nice that WebLogic and Sun provide convenience classes for this purpose. I can see though that doing this is arguably outside the scope of the application server. At this point, I'm just going to use EJB/POJO security as provided by JBoss, and ignore things like Struts role-based security. Maybe the servlet spec will have this someday. :-) View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4012142#4012142 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4012142 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Programmatic Authentication in JBoss?
Could you post more details on solving the first part of the question? I have reviewed the documentation many times, and I am comfortable in dealing with MBeans, but I don't see how to get a handle to the Realm involved which I think is what is needed. I know a filter would also work but that really seems like overkill. I am seriously tempted to just copy the relevant code from here: http://fisheye5.cenqua.com/browse/~raw,r=1.5/glassfish/appserv-core/src/java/com/sun/web/security/WebProgrammaticLogin.java but that seems like a pretty ugly hack. I would be very, very grateful for any suggestions. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4006922#4006922 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4006922 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Calling LoginModule in JBoss
I would be extremely interested in learning this as well. I would prefer to avoid using j_security_check. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4006669#4006669 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4006669 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml
I have the identical problem with JBoss 4.0.4, and I do have the correct DTD. The only way I can get JBoss to see my application policy is if I call it jboss.web in login-config.xml -- I noticed that I get a message [JAASRealm] Set JAAS app name jboss.web every time I start my app. Trying to do things the right way, I have for my login-config.xml: | ?xml version='1.0'? | !DOCTYPE policy PUBLIC | -//JBoss//DTD JBOSS Security Config 3.0//EN | http://www.jboss.org/j2ee/dtd/security_config.dtd; | | !-- The XML based JAAS login configuration read by the | org.jboss.security.auth.login.XMLLoginConfig mbean. Add | an application-policy element for each security domain. | | The outline of the application-policy is: | application-policy name=security-domain-name | authentication | login-module code=login.module1.class.name flag=control_flag | module-option name = option1-nameoption1-value/module-option | module-option name = option2-nameoption2-value/module-option | ... | /login-module | | login-module code=login.module2.class.name flag=control_flag | ... | /login-module | ... | /authentication | /application-policy | | -- | | policy | !-- Used by clients within the application server VM such as | mbeans and servlets that access EJBs. | -- | application-policy name = client-login |authentication | login-module code = org.jboss.security.ClientLoginModule | flag = required | !-- Any existing security context will be restored on logout -- | module-option name=restore-login-identitytrue/module-option | /login-module |/authentication | /application-policy | | !-- Security domain for JBossMQ -- | application-policy name = jbossmq |authentication | login-module code = org.jboss.security.auth.spi.DatabaseServerLoginModule | flag = required | module-option name = unauthenticatedIdentityguest/module-option | module-option name = dsJndiNamejava:/DefaultDS/module-option | module-option name = principalsQuerySELECT PASSWD FROM JMS_USERS WHERE USERID=?/module-option | module-option name = rolesQuerySELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?/module-option | /login-module |/authentication | /application-policy | | !-- Security domain for JBossMQ when using file-state-service.xml | application-policy name = jbossmq |authentication | login-module code = org.jboss.mq.sm.file.DynamicLoginModule | flag = required | module-option name = unauthenticatedIdentityguest/module-option | module-option name = sm.objectnamejboss.mq:service=StateManager/module-option | /login-module |/authentication | /application-policy | -- | | !-- Security domains for testing new jca framework -- | application-policy name = HsqlDbRealm |authentication | login-module code = org.jboss.resource.security.ConfiguredIdentityLoginModule | flag = required | module-option name = principalsa/module-option | module-option name = userNamesa/module-option | module-option name = password/module-option | module-option name = managedConnectionFactoryNamejboss.jca:service=LocalTxCM,name=DefaultDS/module-option | /login-module |/authentication | /application-policy | | application-policy name = JmsXARealm |authentication | login-module code = org.jboss.resource.security.ConfiguredIdentityLoginModule | flag = required | module-option name = principalguest/module-option | module-option name = userNameguest/module-option | module-option name = passwordguest/module-option | module-option name = managedConnectionFactoryNamejboss.jca:service=TxCM,name=JmsXA/module-option | /login-module |/authentication | /application-policy | | !-- A template configuration for the jmx-console web application. This | defaults to the UsersRolesLoginModule the same as other and should be | changed to a stronger authentication mechanism as required. | -- | application-policy name = jmx-console |authentication | login-module code=org.jboss.security.auth.spi.UsersRolesLoginModule | flag = required |module-option name=usersPropertiesprops/jmx-console-users.properties/module-option |module-option name=rolesPropertiesprops/jmx-console-roles.properties/module-option | /login-module |
[jboss-user] [Security JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml
As usual, after banging my head so long that I finally decide to post, the solution comes shortly afterward. The main problem appears to have been that I had commented out some lines in the Tomcat SAR server.xml that refer to JAAS when JBoss was first installed, over 6 months ago. Not sure *why* I did that to begin with, but reverting back basically solved the problem, at least with respect to the web side of things. It looks as though the security domain is first loaded into JNDI when an attempt is made to access the restricted web pages. However, it still does not work for EJBs -- if I refer to the security domain in jboss.xml, the EJB deployments fail with the message Unable to find security domain. Presumably though this is a dependency issue, and will be easier to solve (I hope). View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4005483#4005483 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4005483 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml
And the final fix -- I should have put java:/jaas/webappDomain in jboss.xml rather than java:jaas/webappDomain Both forms actually work for jboss-web.xml, which is a little surprising. Hope this helps someone. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4005488#4005488 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4005488 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [JBoss Getting Started Documentation] - Re: PluggableInstrumentor
That doesn't work. You need to download the AOP package (separate from the main AS), and use the jars from there: This Wiki entry shows how: http://labs.jboss.com/portal/index.html?ctrl:cmd=renderctrl:window=default.wiki.WikiPortletWindowpage=ConfiguringAopLoadtimeWeavinglanguage=EN[/url] View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3994812#3994812 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3994812 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration Deployment] - Re: Web console not present in 4.0.4 ejb3 clustered installa
OK, it isn't installed by default; I ran the all installation and was able to copy over the necessary files from there. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3960053#3960053 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3960053 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user