[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Thanks for your patience as I know this may seem to some as straight forward. I have already succeeded in a previous project to use BASIC web authentication attached to a domain using the JBoss UsersRolesLoginModule. Only Customer and Admin roles can access specific web pages and then calls to remote EJBs are also restricted based on role. Web.xml: | | | admin | | | customer | | | | BASIC | BankDomain | | | | JBoss-web.xml: | | | java:/jaas/BankDomain | /bank | JBoss.xml: | | java:/jaas/BankDomain | The target bean is the same remote stateless session bean, BankMgr, which uses the Caller Principle in the way you mentioned: public CustomerData getMyData() throws bank.BankException { | Principal p = context.getCallerPrincipal(); | String userN = p.getName(); | if (userN.equalsIgnoreCase("ANONYMOUS") || userN.equalsIgnoreCase("GUEST")) { | throw new BankException("BankMgrBean: getMyData - User not logged in"); | } | int pUserId = Integer.parseInt(userN); However, what I wanted to show in this Proof of Concept (PoC) project was that client authentication could be executed independently from server side resource control e.g. bean method execution. Such a scenario would occur if authentication of the client is not under your control however authorisation to use server side (remote) resources are. Thus, I can not use the same security realm for both the client and server resources. Thanks again for your help. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958791#3958791 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958791 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
kearns, You need a better understanding of authentication/authorization. There is just too much stuff that is wrong here. See the resource I mentioned below. As well as the wikis at wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX and wiki.jboss.org/wiki/Wiki.jsp?page=Tomcat. However in an effort to point you in the right direction... 1.) you need to set up and configure container managed security for your web application (per j2ee spec.) I suggest using FORM based authentication. I suggest you combine the actions of both your com.jaas.RdbmsLoginModule and your bank.jaas.CustomServerLoginModule into one login module that is configured for the security domain covering the web app. 2.) Then you need to set up and configure container managed security for your EJB's (I think you have alread done this). In this case, make the security domain the same as that in step 1. The result will be that your user authenticates via the new CustomServerLoginModule for both the web application as well as the EJB components. Once authenticated you can just call the bean. Note that you do not need to perform any LoginContext.login()s in your application. Also, your custom login module should store the customer id and NHS# (so long as these are not restricted data) as custom Principals under the Subject. If the customerID is what you use internally to identify the user (rather than the "user" parameter entered in login form) Then follow JBoss' subject usage pattern and make this principal the "Caller Principal". Finally, you can get the customer id to use in method bankMgrDelegate.getCustomerData(custId).toString() by using EJBContext.getCallerPrincipal() method. There is just too much to say, hope this provides some direction. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958768#3958768 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958768 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Thanks for your continued interest. I continued to research the problem and started with switching on logging for the jboss security package in log4j: | | | | | | | | | | | When I ran the app I expected to see a security manager log entry for both of the security domains (or realms) i.e. SecureBankDomain and Example (the custom client login module policy name). However only the SecureBankDomain was logged: 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManager.SecureBankDomain] CallbackHandler: [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManager.SecureBankDomain] CachePolicy set to: [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, [EMAIL PROTECTED] 2006-07-18 10:46:53,125 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added SecureBankDomain, [EMAIL PROTECTED] to map View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958721#3958721 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958721 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
hi, The jsp page where the client enters the data is shown below. You will see that I extract the credential 'customer id' from the subject to use in a call to a BankMgr Bean via a delegate (BankMgrDelegate). The BankMgr bean is in the 'securBankDomain' which uses the CustomServerLogin module to map the 'customer id' credential to a role. Specific roles have access to specific methods. <% if (request.getParameter("user") == null) { %> <% } else { // just so you can see the debug messages //System.setOut(new PrintStream(response.getOutputStream())); try { // Get the form's username & password fields // String user = request.getParameter("user"); String pass = request.getParameter("pass"); // Use the username/password to initialize the // callback handler and then do the authentication. // PassiveCallbackHandler cbh = new PassiveCallbackHandler(user, pass); LoginContext lc = new LoginContext("Example", cbh); lc.login(); // Loop through all Principals and Credentials. // Iterator it = lc.getSubject().getPrincipals().iterator(); while (it.hasNext()) out.println("Authenticated: " + it.next().toString() + ""); // as the credential is not any specific class, but can be any object the type is // past as an augument. Here RdbmsPrinciple extends java.util.Properties. it = lc.getSubject().getPublicCredentials(Properties.class).iterator(); out.println("Credentials: "); String id = null; Properties credential = null; while (it.hasNext()) credential = (Properties)it.next(); id = credential.getProperty("customer id"); out.println(credential.toString()); // initialise bank manager delegate BankMgrDelegate bankMgrDelegate = new BankMgrDelegate(); bankMgrDelegate.init(); // call BankMgr bean if (id != null) { int custId = Integer.parseInt(id); try { out.println(bankMgrDelegate.getCustomerData(custId).toString()); } catch (Exception e) { out.println("jaas: call BankMgr bean - "+e.getMessage()); } } else { out.println("Controller: processRequest - INVALID parameter *** userId ***"); } lc.logout(); } catch (Exception e) { out.println("Caught Exception: " + e); } } %> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958687#3958687 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958687 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Hi Kearns, So you have a web-enabled client. I am still not clear on what is your identifing principal and what is your credential. What does the user enter in the form? My point is to determine how your authentication data can be used as a String/Principal identity and an Object credential. From there, we can talk about how to get this data to your server login module. In the mean time, also check out the server guide chapter 8 at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958535#3958535 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958535 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
hi, In the commit() of the client login module I add to the subject: subject.getPrincipals().addAll(tempPrincipals); subject.getPublicCredentials().addAll(tempCredentials); where tempCredentials contains the property name-value pairs: c.setProperty("nhs number", nhsNum); c.setProperty("customer id", custId); The passive callback handlers PassiveCallbackHandler has constructor that takes a username and password so its handle() method does not have to prompt the user for input. This information is supplied by a JUnit test or by a jsp which gets the information from a HTML form. There is no peripheral security restrictions. It is the custId that needs to be visible to the custom server login module. At this time the application is deployed on my desktop running a default JBoss server. Hope this helps. Cheers View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958514#3958514 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958514 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
kearns, There are still a few details I would need to understand your situation. 1.) It was not clear to me what data you need to be passed to your bank.jaas.CustomServerLoginModule. What is acting as the identity pricinpal and what is acting as the authentication data? What else do you need here? 2.) Is your client a standalone application or web-enabled? 3.) If your client is standalone, does it restrict the user from performing certain functions based on identity. For example, if user does not have right to modify another user, then a certain screen is not enabled. 4.) if your client is standalone, is it multithreaded? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958502#3958502 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958502 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user