[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Thanks for your patience as I know this may seem to some as straight forward.
I have already succeeded in a previous project to use BASIC web authentication
attached to a domain using the JBoss UsersRolesLoginModule. Only Customer and
Admin roles can access specific web pages and then calls to remote EJBs are
also restricted based on role.
Web.xml:
|
|
| admin
|
|
| customer
|
|
|
| BASIC
| BankDomain
|
|
|
|
JBoss-web.xml:
|
|
| java:/jaas/BankDomain
| /bank
|
JBoss.xml:
|
| java:/jaas/BankDomain
|
The target bean is the same remote stateless session bean, BankMgr, which uses
the Caller Principle in the way you mentioned:
public CustomerData getMyData() throws bank.BankException {
| Principal p = context.getCallerPrincipal();
| String userN = p.getName();
| if (userN.equalsIgnoreCase("ANONYMOUS") ||
userN.equalsIgnoreCase("GUEST")) {
| throw new BankException("BankMgrBean: getMyData - User not
logged in");
| }
| int pUserId = Integer.parseInt(userN);
However, what I wanted to show in this Proof of Concept (PoC) project was that
client authentication could be executed independently from server side resource
control e.g. bean method execution. Such a scenario would occur if
authentication of the client is not under your control however authorisation to
use server side (remote) resources are. Thus, I can not use the same security
realm for both the client and server resources.
Thanks again for your help.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958791#3958791
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958791
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
kearns, You need a better understanding of authentication/authorization. There is just too much stuff that is wrong here. See the resource I mentioned below. As well as the wikis at wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX and wiki.jboss.org/wiki/Wiki.jsp?page=Tomcat. However in an effort to point you in the right direction... 1.) you need to set up and configure container managed security for your web application (per j2ee spec.) I suggest using FORM based authentication. I suggest you combine the actions of both your com.jaas.RdbmsLoginModule and your bank.jaas.CustomServerLoginModule into one login module that is configured for the security domain covering the web app. 2.) Then you need to set up and configure container managed security for your EJB's (I think you have alread done this). In this case, make the security domain the same as that in step 1. The result will be that your user authenticates via the new CustomServerLoginModule for both the web application as well as the EJB components. Once authenticated you can just call the bean. Note that you do not need to perform any LoginContext.login()s in your application. Also, your custom login module should store the customer id and NHS# (so long as these are not restricted data) as custom Principals under the Subject. If the customerID is what you use internally to identify the user (rather than the "user" parameter entered in login form) Then follow JBoss' subject usage pattern and make this principal the "Caller Principal". Finally, you can get the customer id to use in method bankMgrDelegate.getCustomerData(custId).toString() by using EJBContext.getCallerPrincipal() method. There is just too much to say, hope this provides some direction. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958768#3958768 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958768 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Thanks for your continued interest. I continued to research the problem and started with switching on logging for the jboss security package in log4j: | | | | | | | | | | | When I ran the app I expected to see a security manager log entry for both of the security domains (or realms) i.e. SecureBankDomain and Example (the custom client login module policy name). However only the SecureBankDomain was logged: 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManager.SecureBankDomain] CallbackHandler: [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManager.SecureBankDomain] CachePolicy set to: [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added SecureBankDomain, [EMAIL PROTECTED] to map View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958721#3958721 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958721 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
hi,
The jsp page where the client enters the data is shown below. You will see that
I extract the credential 'customer id' from the subject to use in a call to a
BankMgr Bean via a delegate (BankMgrDelegate). The BankMgr bean is in the
'securBankDomain' which uses the CustomServerLogin module to map the 'customer
id' credential to a role. Specific roles have access to specific methods.
<%
if (request.getParameter("user") == null) {
%>
<%
} else {
// just so you can see the debug messages
//System.setOut(new PrintStream(response.getOutputStream()));
try {
// Get the form's username & password fields
//
String user = request.getParameter("user");
String pass = request.getParameter("pass");
// Use the username/password to initialize the
// callback handler and then do the authentication.
//
PassiveCallbackHandler cbh = new PassiveCallbackHandler(user, pass);
LoginContext lc = new LoginContext("Example", cbh);
lc.login();
// Loop through all Principals and Credentials.
//
Iterator it = lc.getSubject().getPrincipals().iterator();
while (it.hasNext())
out.println("Authenticated: " + it.next().toString() + "");
// as the credential is not any specific class, but can be any
object the type is
// past as an augument. Here RdbmsPrinciple extends
java.util.Properties.
it = lc.getSubject().getPublicCredentials(Properties.class).iterator();
out.println("Credentials: ");
String id = null;
Properties credential = null;
while (it.hasNext())
credential = (Properties)it.next();
id = credential.getProperty("customer id");
out.println(credential.toString());
// initialise bank manager delegate
BankMgrDelegate bankMgrDelegate = new BankMgrDelegate();
bankMgrDelegate.init();
// call BankMgr bean
if (id != null) {
int custId = Integer.parseInt(id);
try {
out.println(bankMgrDelegate.getCustomerData(custId).toString());
} catch (Exception e) {
out.println("jaas: call BankMgr bean - "+e.getMessage());
}
} else {
out.println("Controller: processRequest - INVALID parameter ***
userId ***");
}
lc.logout();
} catch (Exception e) {
out.println("Caught Exception: " + e);
}
}
%>
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958687#3958687
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958687
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Hi Kearns, So you have a web-enabled client. I am still not clear on what is your identifing principal and what is your credential. What does the user enter in the form? My point is to determine how your authentication data can be used as a String/Principal identity and an Object credential. From there, we can talk about how to get this data to your server login module. In the mean time, also check out the server guide chapter 8 at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958535#3958535 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958535 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
hi,
In the commit() of the client login module I add to the subject:
subject.getPrincipals().addAll(tempPrincipals);
subject.getPublicCredentials().addAll(tempCredentials);
where tempCredentials contains the property name-value pairs:
c.setProperty("nhs number", nhsNum);
c.setProperty("customer id", custId);
The passive callback handlers PassiveCallbackHandler has constructor that takes
a username and password so its handle() method does not have to prompt the user
for input. This information is supplied by a JUnit test or by a jsp which gets
the information from a HTML form. There is no peripheral security restrictions.
It is the custId that needs to be visible to the custom server login module.
At this time the application is deployed on my desktop running a default JBoss
server.
Hope this helps. Cheers
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958514#3958514
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958514
___
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
kearns, There are still a few details I would need to understand your situation. 1.) It was not clear to me what data you need to be passed to your bank.jaas.CustomServerLoginModule. What is acting as the identity pricinpal and what is acting as the authentication data? What else do you need here? 2.) Is your client a standalone application or web-enabled? 3.) If your client is standalone, does it restrict the user from performing certain functions based on identity. For example, if user does not have right to modify another user, then a certain screen is not enabled. 4.) if your client is standalone, is it multithreaded? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958502#3958502 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958502 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
