from:"niwhsa"

[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security issue with remote client

2006-01-06 Thread niwhsa

I think you ahve not enabled security for the ejb-app. What does the jboss.xml 
say?

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3916022#3916022

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3916022


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Custom Login Module

2005-11-16 Thread niwhsa

I think you will not find a one-to-one match from weblogic to jboss. The best 
way to do this is to understand what actually needs to happen during the login 
(from your application perspective, security rules etc etc) and the have these 
coded into one (or more) LoginModule implementations.
Then in the login-conf.xml you can define a realm/domain with this one (or 
more) modules and use that realm in your application jboss.xml.

Moral of the story... dont try to do a one to one match. It may not be possible 
and you might end up doing stuff to the code that is not architecturally sound 
and unmanagable.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3907375#3907375

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3907375


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Login Modules and Realm

2005-11-07 Thread niwhsa

Its done in the login() method

The commit method commits all this info into the subject.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3905950#3905950

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3905950


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Security error after migrating to 4.0.3

2005-10-28 Thread niwhsa

Well the default classloader config that comes with jboss has changed since 
4.0.2. Go to the deploy/tomcatx.sar/meta-inf folder.
open the service.xml and change the UseJBossclassloader to true and also set 
usejava2classloading to true.
Should do the trick

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3904105#3904105

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3904105


---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Automatic Login to web app

2005-10-28 Thread niwhsa

what is the error you are getting and please post the stack trace

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3904102#3904102

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3904102


---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [JBossWS] - Re: howto specify application specific config properties in

2005-10-06 Thread niwhsa

web.xml init-param ?

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899761#3899761

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899761


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [JBossWS] - Re: Throwing SoapFaults (no details)

2005-10-06 Thread niwhsa

Create a custom checked exception (sub class of java.lang.Exception) with all 
the properties you want. Throw this exception from your SEI methods. Wscompile 
should be able to handle this easily. I have done this and works great (even 
parent class properties get listed in the soap-fault tag is wsdl).

Unless I misunderstood your question, the above should do the trick

Example: In our code, we throw ExceptionA which extends project generic 
exception ExceptionB whihc in turn extends the java.lang.Exception.
This is what is available in the wsdl file


  |   
  | 
  |   
  | 
  |   
  | 
  |   
  |   
  |   
  |   
  |
  | 

As you can see casueID, extendedMessage, logID and message are properties of 
Exception B.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899760#3899760

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899760


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: More flexible roles?

2005-10-06 Thread niwhsa

You cannot use wild cards in ejb-jar.xml for declarative security. 
Option 1)
However, you can install a security interceptor with your application that can 
check these roles. The interceptor gets called before the ejb and you can 
handle all checking there. The interceptor gets access to the principal, roles, 
ejb and the ejb method that is being invoked. This is enough info for you to 
program fine grained security

Option 2)
Another way would be to check the users roles in ejb interface methods and not 
proceed if the user has insufficient roles (throw security exception). However, 
this logic needs to be impl'ed in every method. 

Advantage/Disadvantage

1) Option 1 is clean and simple and your ejb code is not aware of security logic
2) Option 1 is jboss specific and you will have trouble migrating to other app 
servers that dont allow this flexibility (remember jboss is very very flexible 
and allows you to do lot more customization than other servers)

3) Option 2 should work on any app server!!

What shud you choose

Choose option (2) if you need portability or choose (1) otherwise




View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899759#3899759

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899759


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??

2005-10-04 Thread niwhsa

Your principals query and the role query use wrong column name? Your table has 
Username column isnt it?


Also your application policy name in login-config is defauth but you are using 
megs in jboss.xml??


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898910#3898910

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898910


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Problem with programmatic authentication with LDAP

2005-10-02 Thread niwhsa

Well seems like you are calling EJBs from the login module (LM) . The problem 
is that the LM commit() has not be called and untill commit() is called the A&A 
information is not valid for the subject!!. 

Why dont you make the EJBs that you call from LM insecure? 

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898581#3898581

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898581


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: setting and accessing ACL in JBoss

2005-10-02 Thread niwhsa

Hmm you may not be able to restrict home interface lookup using acl but you can 
restrict who gets to call the create() methods in the interface using 
declarative security.

The other way to restrict jndi lookups is to have a username/password for the 
jndi access. 

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898580#3898580

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898580


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: LdapExtLoginModule throws NullPointerException during ro

2005-10-02 Thread niwhsa

Its definitely a bug. The LdapExtLoginModule is relatively new and might not 
have undergone serious user testing :). Another thing missing is that the login 
modules dont provide a role mapping capability to map groups from ldap to roles 
that are different from the group name!!

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898579#3898579

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898579


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Getting User Credential [password] In Declaretive Securi

2005-10-02 Thread niwhsa

You will get the filter to work only if you are using form based auth. In case 
you are using basic then the filter doesnt work!!



View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898578#3898578

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898578


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: JAAS Security in Jboss - Password Capture

2005-10-02 Thread niwhsa

If you are using basic authentication then yes jboss can help. You can write 
your own/extend the existing loginmodules to get the password. It will nto be 
encrypted. Even if you end up using SSL by the time the password reaches the 
login module it should be decrypted already. 

If you are using form based login, you can get the password even in tomcat. The 
easiest would be to put a filter to the j_security_check servlet. In the filter 
you can read j_password from the request.



View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898577#3898577

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898577


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Updating user credentials

2005-10-02 Thread niwhsa

Some thoughts::

Seems like the earlier impl of relogin the user (behind the scenes) is a better 
idea as the other option involves using mbean code. Kinda ties you up a lot to 
jboss. 
In J2EE use as few native features as possible. In case you cant help using it, 
provide enough delegation/abstraction to make sure that the change (in case you 
need to change) in future is limited to one or two java files irrespective of 
project size.



View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898576#3898576

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898576


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??

2005-10-02 Thread niwhsa

At the highest level these are the steps required to convert a insecure j2ee 
app to a secure one in jboss

For web apps

1) In the web.xml  list the urls that need to be secure and the http methods 
that need to be secure. This can be done as so.

  | anonymous wrote : 
  | 
  | 
  | Restricted
  | Declarative security tests
  | /*
  | HEAD
  | GET
  | POST
  | PUT
  | DELETE
  | 
  | 
  | Secure
  | 
  | 
  | no description
  | NONE
  | 
  | 
  | 
  | anonymous wrote : 
  | 
  | BASIC
  | JAAS Tutorial Servlets
  | 
  | 
  | anonymous wrote : 
  | 
  | A user allowed to invoke echo methods
  | Secure
  | 
  | 

2) Now specify the security domain that will provide the authentication (login) 
and the authorization information (roles) in jboss-web.xml

anonymous wrote : 
  | THis comes directly under the  tag. Check the DTD for more 
details.
  | 


  | java:/jaas/jwdomain
  | 


3) Now the last piece is to provide the jwdomain information in the 
server/default /conf/login-config.xml



  | 
  | 
  | 
  | 
  | 
  | 
  | 
  | 

Now you should be good to go.


***
For an EJB application

replace step 1) above with info in ejb-jar.xml

step 2) and step 3) remain same.

Note: Use jboss.xml to provide the security doamin info rather than 
jboss-web.xml.


Let us know how it goes.

Also would help if you post the exact error you are getting.


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898575#3898575

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898575


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [JCA/JBoss] - Re: Trouble enlisting direct JDBC in a transaction

2005-09-26 Thread niwhsa

If you want to manage transactions yourself (not a good idea most times) then 
lookup UserTransaction object from JNDI and use that. Dont use the transaction 
manager. It cant help you :)

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897033#3897033

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3897033


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [JCA/JBoss] - Re: Trouble enlisting direct JDBC in a transaction

2005-09-26 Thread niwhsa

Your class cast exception should be easy to solve. You are setting up a regular 
datasource and trying to cast it to a XADataSource. In your mysql-ds.xml you 
need to setup a xa datasource. 

anonymous wrote : 
  |  
  | MySqlDS 
  | 
com.mysql.jdbc.jdbc2.optional.MysqlXADataSource
 
  | jdbc:mysql://localhost:3306/test 
  |  
  |  
  | true 
  | 
org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter
 
  |  
  | mySQL 
  |  
  | 
  | 

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897032#3897032

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3897032


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [JBossWS] - Couldn't find a matching Java operation for WSDD operation

2005-09-21 Thread niwhsa

I am trying to create a doc/lit webservice. I was successful in getting the 
service running and testing it using a .net c# test client.
However, when I create an additional method in the SEI that accepts array 
argument, it starts giving an exception such as the one below.

Any help will be appreciated. I am using JBOSS 4.0.2 default config. Is there 
something fundamentally wrong in what i am doing?


  | 17:04:10,353 FATAL [InternalException] Exception:
  | java.lang.Exception: Couldn't find a matching Java operation for WSDD 
operation "sayHelloManyTimes" (1 args)
  | at org.jboss.axis.InternalException.(InternalException.java:106)
  | at 
org.jboss.axis.description.ServiceDesc.loadServiceDescByIntrospection(ServiceDesc.java:992)
  | at 
org.jboss.axis.providers.java.JavaProvider.initServiceDesc(JavaProvider.java:732)
  | at 
org.jboss.webservice.server.InvokerProvider.initServiceDesc(InvokerProvider.java:95)
  | at 
org.jboss.axis.handlers.soap.SOAPService.getInitializedServiceDesc(SOAPService.java:388)
  | at 
org.jboss.axis.deployment.wsdd.WSDDService.makeNewInstance(WSDDService.java:560)
  | at 
org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getNewInstance(WSDDDeployableItem.java:322)
  | at 
org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getInstance(WSDDDeployableItem.java:307)
  | at 
org.jboss.axis.deployment.wsdd.WSDDDeployment.getService(WSDDDeployment.java:526)
  | at 
org.jboss.axis.configuration.FileProvider.getService(FileProvider.java:288)
  | at org.jboss.axis.AxisEngine.getService(AxisEngine.java:253)
  | at 
org.jboss.webservice.server.ServiceEndpointServlet.doGet(ServiceEndpointServlet.java:58)
  | at javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
  | at 
org.jboss.axis.transport.http.AxisServletBase.service(AxisServletBase.java:370)
  | at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
  | at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
  | at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
  | at 
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
  | at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
  | at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
  | at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
  | at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
  | at 
org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
  | at 
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
  | at 
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
  | at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
  | at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
  | at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
  | at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
  | at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
  | at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
  | at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
  | at 
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
  | at java.lang.Thread.run(Thread.java:534)
  | 17:04:10,353 INFO  [AxisServlet] Exception:
  | org.jboss.axis.InternalException: java.lang.Exception: Couldn't find a 
matching Java operation for WSDD operation "sayHelloManyTimes" (1 args)
  | at 
org.jboss.axis.description.ServiceDesc.loadServiceDescByIntrospection(ServiceDesc.java:992)
  | at 
org.jboss.axis.providers.java.JavaProvider.initServiceDesc(JavaProvider.java:732)
  | at 
org.jboss.webservice.server.InvokerProvider.initServiceDesc(InvokerProvider.java:95)
  | at 
org.jboss.axis.handlers.soap.SOAPService.getInitializedServiceDesc(SOAPService.java:388)
  | at 
org.jboss.axis.deployment.wsdd.WSDDService.makeNewInstance(WSDDService.java:560)
  | at 
org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getNewInstance(WSDDDeployableItem.java:322)
  | at 
org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getInstance(WSDDDeployableItem.java:307)
  | at 
org.jboss.axis.deployment.wsdd.WSDDDeployment.getService(WSDDDeployment.java:526)
  | at 
org.jboss.axis.configuration.FileProvider.getService(FileProvider.java:288)
  | at org.jboss.axis.AxisEngine.getService(AxisEngine.java:253)
  | at 
org.jboss.webservice.server.ServiceEndpointServlet.doGet(ServiceEndpointServlet.jav

[JBoss-user] [Security & JAAS/JBoss] - Re: saving j_username as session/request parameter

2005-08-24 Thread niwhsa

Why dont you put a servlet filter for the j_security_check servlet in your 
web.xml. In the filter code, you will have access to the request object from 
where you can read j_username and store it in the session. This would be the 
easiest way of doing this without tampering with the app server code.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3891551#3891551

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3891551


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Can I create a J2EE-generic authentication module?

2005-08-24 Thread niwhsa

You can write your own JAAS login module and plug it into the 
conf/login-config.xml file.
If you want complete portability ensure that you custom implement the Principal 
and Group classes and dont use the ones from JBoss. I have done this 
successfully. There is no issue with that.

Once you have done this, you can take this LoginModule anywhere as its fully 
portable and not dependant on JBoss.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3891549#3891549

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3891549


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: how this symbol @ works in the application and jboss fil

2005-08-15 Thread niwhsa

you are to replace them with the appropriate values.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3890115#3890115

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3890115


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: security in jboss

2005-08-15 Thread niwhsa

read the sticky post for a good introduction.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3890114#3890114

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3890114


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Retrieving user name

2005-08-15 Thread niwhsa

My guess is that in your JSP/servlet, the call to request.getUserPrincipal() is 
returning null.
If you are using a custom login module then you need to define a group named 
"CallerPrincipal" to which you can add your Principal impl class. If you do 
this then the request.getUserPrincipal() returns your custom Principal impl (of 
course you will need to cast it to your impl class).

HTH
Ashwin Karkala

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3890113#3890113

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3890113


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Simple JAAS Configuration ?

2005-08-11 Thread niwhsa

have you made an entry in the login-config.xml for the overdrive security 
domain?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3889666#3889666

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3889666


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Basic Auth not propogating Security

2005-08-09 Thread niwhsa

Make sure you include the CLientLoginModule in the "mymail" authentication 
domain. This should help propogate the principal. 

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3889000#3889000

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3889000


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: re-login necessary after jboss-restart

2005-08-08 Thread niwhsa

What do you mean by
anonymous wrote : 
  | although the http-session survived the restart.
  | 

How do you know the http-session on the server side survived the re-start?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=373#373

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=373


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Implementation of mandate-type access

2005-08-07 Thread niwhsa

Seems like you have to define a custom implementation of the RealmMapping 
interface. The interface defines a method 
anonymous wrote : 
  | /** Validates the application domain roles to which the operational
  | environment Principal belongs.
  | @param principal the caller principal as known in the operation 
environment.
  | @param roles The Set for the application domain roles that the
  |  principal is to be validated against.
  | @return true if the principal has at least one of the roles in the 
roles set,
  | false otherwise.
  |  */
  | public boolean doesUserHaveRole(Principal principal, Set roles);
  | 

Your implementation can return true/false based on the mandate level. You might 
also need to define a custom login module (only your requirements will define 
this need) that gets the mandate value into the subject.

On complete details on how to implement a custom security manager and custom 
login modules (for the JAAS security manager) please read
anonymous wrote : 
  | http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html
  | 


View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=336#336

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=336


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: LDAP Authentication

2005-08-07 Thread niwhsa

any exceptions?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=335#335

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=335


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: has anyone managed to run the program in the top entry o

2005-08-07 Thread niwhsa

Seems like you dont ahve a auth.conf file for your client application. Try 
providing the system property -D while calling java as follows.
anonymous wrote : 
  | -Djava.security.auth.login.config=${full_path_to_auth.conf}
  | 

There is a more detailed thread on this available in the same forum.
anonymous wrote : 
  | http://www.jboss.com/index.html?module=bb&op=viewtopic&t=66605
  | 
  | 

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=334#334

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=334


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: has anyone managed to run the program in the top entry o

2005-08-04 Thread niwhsa

please provide the o/p or stack trace etc etc

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888386#3888386

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888386


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Configuration file for Loging modules NOT found

2005-08-03 Thread niwhsa

Yes this is a pretty common thing to do when you first start off with JAAS. I 
did the same too. I use the -D argument to the java command as below

java -Djava.security.auth.login.config=conf/auth.conf 

This need to be under the current directory.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888334#3888334

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888334


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: has anyone managed to run the program in the top entry o

2005-08-03 Thread niwhsa

ITs more for reference. What problem are you facing excatly?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888333#3888333

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888333


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Different Role check mechanism for EJB and Web?

2005-08-03 Thread niwhsa

I forgot to mention that I am using jboss 4.0.1 sp1



View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888149#3888149

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888149


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Different Role check mechanism for EJB and Web?

2005-08-03 Thread niwhsa

I wanted to post an interesting observation. I have a custom LoginModule 
implementation that I was using. In the login module I was not using the 
SimplePrincipal and the SimpleGroups implementations provided by JBoss. I was 
using custom implementation of the java.security.Principal and 
java.security.acl.Group interfaces.

This seems to work fine for authentication of the web side but seemed to fail 
for the EJB. Both the web and EJBs were secured using the same domain that used 
my custom login module.

See http://www.jboss.org/index.html?module=bb&op=viewtopic&t=67345 for my prior 
post.

When I did a small walk through of the JBoss source code (thank heavens its 
open source) I found that on the web container side, the roles are checked by 
getting the individual principals out of the Group as Strings (using the 
members() method first on the group and then the getName() on each Principal in 
the enumeration). Basically the security interceptor gets all the roles the 
user belongs to as strings and then  checks to see if the desired role is 
present or not.

However, on the EJB side of things, the security interceptor directly calls the 
isMember() method on the Group named "Roles" found in the Subject. The argument 
passed to the isMember() method is of type org.jboss.security.SimplePrincipal. 
I was directly checking this against the Principals in my group. However, since 
the class of my principals were different the == was not working and I was 
getting SecurityExceptions thrown back during the EJB calls.

I understand that my impl of the isMember() method can be seen as flawed but 
why does JBoss have to have confilicting mechanisms to check roles on the Web 
and EJB fronts? 

Any thoughts?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888147#3888147

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888147


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: EJB SecurityException even though roles are present

2005-08-03 Thread niwhsa

Finally managed to fix the problem. The issue was with my implementation of 
java.security.acl.Group interface. In the isMember() I was checking directly 
the principal rather than checking principal.getName(). The RealmMapping impl 
used by the EJB Container checks for available roles using the isMember() 
method. 
Surprisingly the same on the web container gets all the roles as strings and 
then checks against the strings. Wonder why this is so.

In any case I am glad I was able to fix the issue and hopefully this helps 
others.

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888145#3888145

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888145


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: EJB SecurityException even though roles are present

2005-08-03 Thread niwhsa

I did a little source code searching and found that the exception is thrown by 
the org.jboss.ejb.plugins.SecurityInterceptor.

The exact piece of code that fails is

  |   // Check if the caller is allowed to access the method
  |   if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
  |   {
  |  // The caller is using a the caller identity
  |  if (callerRunAsIdentity == null)
  |  {
  | // Now actually check if the current caller has one of the 
required method roles
  | if (realmMapping.doesUserHaveRole(principal, methodRoles) == 
false)
  | {
  |Set userRoles = realmMapping.getUserRoles(principal);
  |String method = mi.getMethod().getName();
  |BeanMetaData beanMetaData = container.getBeanMetaData();
  |String msg = "Insufficient method permissions, principal=" + 
principal
  |   + ", ejbName=" + beanMetaData.getEjbName()
  |   + ", method=" + method + ", interface=" + iface
  |   + ", requiredRoles=" + methodRoles + ", principalRoles=" 
+ userRoles;
  |SecurityException e = new SecurityException(msg);
  |throw e;
  | }
  |  }
  | 

I was unable to debug any further as RealmMapping is an interface and am not 
sure which Impl class is actually working durign runtime.

Also what baffles me most is that the exception indicates that I am not in role 
but the message in the exception clearly shows that I am indeed in the role.

Any pointers?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888125#3888125

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888125


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: EJB SecurityException even though roles are present

2005-08-02 Thread niwhsa

Wanted to add some more details.
Since the same security domain seems to work for the web application and not 
for the EJB, I suspect it could be some EJB config. I am positn the jboss.xml 
and the ejb-jar.xml here for reference.

jboss.xml

  | 
  | 
  |java:/jaas/jwdomain
  | 
  |
  | 
  |  
  | 
  |   
  |  Fibo
  |  ejb/tutorial/Fibo
  |   
  |
  | 
  |
  |
  | 
  | 
  | 

And the ejb-jar.xml


  | 
  |Generated by XDoclet
  | 
  |
  | 
  |   
  |  EJB that computes Fibonacci suite
  |  Fibo EJB
  |  Fibo
  |  tutorial.interfaces.FiboHome
  |  tutorial.interfaces.Fibo
  |  tutorial.ejb.FiboBean
  |  Stateless
  |  Container
  |   
  | 
  |
  | 
  |
  | 
  | 
  | Secure
  | 
  | 
  | 
  | 
  | 
  | Fibo
  | create
  | 
  | 
  | 
  | 
  | Secure
  | 
  | Fibo
  | factorial
  | 
  | 
  | 
  | 


Again am I missing something ? Any help is appreciated.

thanks

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887959#3887959

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887959


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - EJB SecurityException even though roles are present

2005-08-02 Thread niwhsa

HI,
 I am doing the usual custom login module to login to the servlet and then 
using the servlet to access a session ejb. Both the servlet and session bean 
are secured by the role named "Secure".

The security domain I am using is jwdomain and is set in the login-config.xml to
anonymous wrote : 
  | 
  | 
  | 
  | com.netscape.jndi.ldap.LdapContextFactory
  | true
  | 
  | 
  | useFirstPass
  | 
  | 
  | 
  | 
  | 

Note: I am using Client Login Module as part of the security domain definition 
above. 

In the servlet I am using BASIC authentication to get the username and 
password. This is working fine. However when the servlet tries to access the 
ejb the following exception is got. 

anonymous wrote : 
  | java.rmi.AccessException: SecurityException; nested exception is: 
  | java.lang.SecurityException: Insufficient method permissions, 
principal=akarkala, ejbName=Fibo, method=factorial, interface=REMOTE, 
requiredRoles=[Secure], principalRoles=[Secure]
  | 

Note that its looking for the role "Secure" and its present in the 
principalRoles. Why am I still getting the exception?

Any pointers?

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887951#3887951

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887951


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user

39 matches

Mail list logo