[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security issue with remote client
I think you ahve not enabled security for the ejb-app. What does the jboss.xml say? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3916022#3916022 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3916022 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Custom Login Module
I think you will not find a one-to-one match from weblogic to jboss. The best way to do this is to understand what actually needs to happen during the login (from your application perspective, security rules etc etc) and the have these coded into one (or more) LoginModule implementations. Then in the login-conf.xml you can define a realm/domain with this one (or more) modules and use that realm in your application jboss.xml. Moral of the story... dont try to do a one to one match. It may not be possible and you might end up doing stuff to the code that is not architecturally sound and unmanagable. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3907375#3907375 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3907375 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Login Modules and Realm
Its done in the login() method The commit method commits all this info into the subject. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3905950#3905950 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3905950 --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Security error after migrating to 4.0.3
Well the default classloader config that comes with jboss has changed since 4.0.2. Go to the deploy/tomcatx.sar/meta-inf folder. open the service.xml and change the UseJBossclassloader to true and also set usejava2classloading to true. Should do the trick View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3904105#3904105 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3904105 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Automatic Login to web app
what is the error you are getting and please post the stack trace View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3904102#3904102 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3904102 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [JBossWS] - Re: howto specify application specific config properties in
web.xml init-param ? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899761#3899761 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899761 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [JBossWS] - Re: Throwing SoapFaults (no details)
Create a custom checked exception (sub class of java.lang.Exception) with all the properties you want. Throw this exception from your SEI methods. Wscompile should be able to handle this easily. I have done this and works great (even parent class properties get listed in the soap-fault tag is wsdl). Unless I misunderstood your question, the above should do the trick Example: In our code, we throw ExceptionA which extends project generic exception ExceptionB whihc in turn extends the java.lang.Exception. This is what is available in the wsdl file | | | | | | | | | | | | As you can see casueID, extendedMessage, logID and message are properties of Exception B. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899760#3899760 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899760 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: More flexible roles?
You cannot use wild cards in ejb-jar.xml for declarative security. Option 1) However, you can install a security interceptor with your application that can check these roles. The interceptor gets called before the ejb and you can handle all checking there. The interceptor gets access to the principal, roles, ejb and the ejb method that is being invoked. This is enough info for you to program fine grained security Option 2) Another way would be to check the users roles in ejb interface methods and not proceed if the user has insufficient roles (throw security exception). However, this logic needs to be impl'ed in every method. Advantage/Disadvantage 1) Option 1 is clean and simple and your ejb code is not aware of security logic 2) Option 1 is jboss specific and you will have trouble migrating to other app servers that dont allow this flexibility (remember jboss is very very flexible and allows you to do lot more customization than other servers) 3) Option 2 should work on any app server!! What shud you choose Choose option (2) if you need portability or choose (1) otherwise View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3899759#3899759 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3899759 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
Your principals query and the role query use wrong column name? Your table has Username column isnt it? Also your application policy name in login-config is defauth but you are using megs in jboss.xml?? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898910#3898910 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898910 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problem with programmatic authentication with LDAP
Well seems like you are calling EJBs from the login module (LM) . The problem is that the LM commit() has not be called and untill commit() is called the A&A information is not valid for the subject!!. Why dont you make the EJBs that you call from LM insecure? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898581#3898581 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898581 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: setting and accessing ACL in JBoss
Hmm you may not be able to restrict home interface lookup using acl but you can restrict who gets to call the create() methods in the interface using declarative security. The other way to restrict jndi lookups is to have a username/password for the jndi access. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898580#3898580 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898580 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: LdapExtLoginModule throws NullPointerException during ro
Its definitely a bug. The LdapExtLoginModule is relatively new and might not have undergone serious user testing :). Another thing missing is that the login modules dont provide a role mapping capability to map groups from ldap to roles that are different from the group name!! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898579#3898579 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898579 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Getting User Credential [password] In Declaretive Securi
You will get the filter to work only if you are using form based auth. In case you are using basic then the filter doesnt work!! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898578#3898578 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898578 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: JAAS Security in Jboss - Password Capture
If you are using basic authentication then yes jboss can help. You can write your own/extend the existing loginmodules to get the password. It will nto be encrypted. Even if you end up using SSL by the time the password reaches the login module it should be decrypted already. If you are using form based login, you can get the password even in tomcat. The easiest would be to put a filter to the j_security_check servlet. In the filter you can read j_password from the request. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898577#3898577 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898577 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Updating user credentials
Some thoughts:: Seems like the earlier impl of relogin the user (behind the scenes) is a better idea as the other option involves using mbean code. Kinda ties you up a lot to jboss. In J2EE use as few native features as possible. In case you cant help using it, provide enough delegation/abstraction to make sure that the change (in case you need to change) in future is limited to one or two java files irrespective of project size. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898576#3898576 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898576 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
At the highest level these are the steps required to convert a insecure j2ee app to a secure one in jboss For web apps 1) In the web.xml list the urls that need to be secure and the http methods that need to be secure. This can be done as so. | anonymous wrote : | | | Restricted | Declarative security tests | /* | HEAD | GET | POST | PUT | DELETE | | | Secure | | | no description | NONE | | | | anonymous wrote : | | BASIC | JAAS Tutorial Servlets | | | anonymous wrote : | | A user allowed to invoke echo methods | Secure | | 2) Now specify the security domain that will provide the authentication (login) and the authorization information (roles) in jboss-web.xml anonymous wrote : | THis comes directly under the tag. Check the DTD for more details. | | java:/jaas/jwdomain | 3) Now the last piece is to provide the jwdomain information in the server/default /conf/login-config.xml | | | | | | | | Now you should be good to go. *** For an EJB application replace step 1) above with info in ejb-jar.xml step 2) and step 3) remain same. Note: Use jboss.xml to provide the security doamin info rather than jboss-web.xml. Let us know how it goes. Also would help if you post the exact error you are getting. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898575#3898575 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898575 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [JCA/JBoss] - Re: Trouble enlisting direct JDBC in a transaction
If you want to manage transactions yourself (not a good idea most times) then lookup UserTransaction object from JNDI and use that. Dont use the transaction manager. It cant help you :) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897033#3897033 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3897033 --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [JCA/JBoss] - Re: Trouble enlisting direct JDBC in a transaction
Your class cast exception should be easy to solve. You are setting up a regular datasource and trying to cast it to a XADataSource. In your mysql-ds.xml you need to setup a xa datasource. anonymous wrote : | | MySqlDS | com.mysql.jdbc.jdbc2.optional.MysqlXADataSource | jdbc:mysql://localhost:3306/test | | | true | org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter | | mySQL | | | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897032#3897032 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3897032 --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [JBossWS] - Couldn't find a matching Java operation for WSDD operation
I am trying to create a doc/lit webservice. I was successful in getting the service running and testing it using a .net c# test client. However, when I create an additional method in the SEI that accepts array argument, it starts giving an exception such as the one below. Any help will be appreciated. I am using JBOSS 4.0.2 default config. Is there something fundamentally wrong in what i am doing? | 17:04:10,353 FATAL [InternalException] Exception: | java.lang.Exception: Couldn't find a matching Java operation for WSDD operation "sayHelloManyTimes" (1 args) | at org.jboss.axis.InternalException.(InternalException.java:106) | at org.jboss.axis.description.ServiceDesc.loadServiceDescByIntrospection(ServiceDesc.java:992) | at org.jboss.axis.providers.java.JavaProvider.initServiceDesc(JavaProvider.java:732) | at org.jboss.webservice.server.InvokerProvider.initServiceDesc(InvokerProvider.java:95) | at org.jboss.axis.handlers.soap.SOAPService.getInitializedServiceDesc(SOAPService.java:388) | at org.jboss.axis.deployment.wsdd.WSDDService.makeNewInstance(WSDDService.java:560) | at org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getNewInstance(WSDDDeployableItem.java:322) | at org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getInstance(WSDDDeployableItem.java:307) | at org.jboss.axis.deployment.wsdd.WSDDDeployment.getService(WSDDDeployment.java:526) | at org.jboss.axis.configuration.FileProvider.getService(FileProvider.java:288) | at org.jboss.axis.AxisEngine.getService(AxisEngine.java:253) | at org.jboss.webservice.server.ServiceEndpointServlet.doGet(ServiceEndpointServlet.java:58) | at javax.servlet.http.HttpServlet.service(HttpServlet.java:697) | at org.jboss.axis.transport.http.AxisServletBase.service(AxisServletBase.java:370) | at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) | at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39) | at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) | at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) | at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) | at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) | at java.lang.Thread.run(Thread.java:534) | 17:04:10,353 INFO [AxisServlet] Exception: | org.jboss.axis.InternalException: java.lang.Exception: Couldn't find a matching Java operation for WSDD operation "sayHelloManyTimes" (1 args) | at org.jboss.axis.description.ServiceDesc.loadServiceDescByIntrospection(ServiceDesc.java:992) | at org.jboss.axis.providers.java.JavaProvider.initServiceDesc(JavaProvider.java:732) | at org.jboss.webservice.server.InvokerProvider.initServiceDesc(InvokerProvider.java:95) | at org.jboss.axis.handlers.soap.SOAPService.getInitializedServiceDesc(SOAPService.java:388) | at org.jboss.axis.deployment.wsdd.WSDDService.makeNewInstance(WSDDService.java:560) | at org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getNewInstance(WSDDDeployableItem.java:322) | at org.jboss.axis.deployment.wsdd.WSDDDeployableItem.getInstance(WSDDDeployableItem.java:307) | at org.jboss.axis.deployment.wsdd.WSDDDeployment.getService(WSDDDeployment.java:526) | at org.jboss.axis.configuration.FileProvider.getService(FileProvider.java:288) | at org.jboss.axis.AxisEngine.getService(AxisEngine.java:253) | at org.jboss.webservice.server.ServiceEndpointServlet.doGet(ServiceEndpointServlet.jav
[JBoss-user] [Security & JAAS/JBoss] - Re: saving j_username as session/request parameter
Why dont you put a servlet filter for the j_security_check servlet in your web.xml. In the filter code, you will have access to the request object from where you can read j_username and store it in the session. This would be the easiest way of doing this without tampering with the app server code. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3891551#3891551 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3891551 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Can I create a J2EE-generic authentication module?
You can write your own JAAS login module and plug it into the conf/login-config.xml file. If you want complete portability ensure that you custom implement the Principal and Group classes and dont use the ones from JBoss. I have done this successfully. There is no issue with that. Once you have done this, you can take this LoginModule anywhere as its fully portable and not dependant on JBoss. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3891549#3891549 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3891549 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: how this symbol @ works in the application and jboss fil
you are to replace them with the appropriate values. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3890115#3890115 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3890115 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: security in jboss
read the sticky post for a good introduction. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3890114#3890114 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3890114 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Retrieving user name
My guess is that in your JSP/servlet, the call to request.getUserPrincipal() is returning null. If you are using a custom login module then you need to define a group named "CallerPrincipal" to which you can add your Principal impl class. If you do this then the request.getUserPrincipal() returns your custom Principal impl (of course you will need to cast it to your impl class). HTH Ashwin Karkala View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3890113#3890113 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3890113 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Simple JAAS Configuration ?
have you made an entry in the login-config.xml for the overdrive security domain? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3889666#3889666 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3889666 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Basic Auth not propogating Security
Make sure you include the CLientLoginModule in the "mymail" authentication domain. This should help propogate the principal. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3889000#3889000 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3889000 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: re-login necessary after jboss-restart
What do you mean by anonymous wrote : | although the http-session survived the restart. | How do you know the http-session on the server side survived the re-start? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=373#373 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=373 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Implementation of mandate-type access
Seems like you have to define a custom implementation of the RealmMapping interface. The interface defines a method anonymous wrote : | /** Validates the application domain roles to which the operational | environment Principal belongs. | @param principal the caller principal as known in the operation environment. | @param roles The Set for the application domain roles that the | principal is to be validated against. | @return true if the principal has at least one of the roles in the roles set, | false otherwise. | */ | public boolean doesUserHaveRole(Principal principal, Set roles); | Your implementation can return true/false based on the mandate level. You might also need to define a custom login module (only your requirements will define this need) that gets the mandate value into the subject. On complete details on how to implement a custom security manager and custom login modules (for the JAAS security manager) please read anonymous wrote : | http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html | View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=336#336 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=336 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: LDAP Authentication
any exceptions? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=335#335 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=335 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: has anyone managed to run the program in the top entry o
Seems like you dont ahve a auth.conf file for your client application. Try providing the system property -D while calling java as follows. anonymous wrote : | -Djava.security.auth.login.config=${full_path_to_auth.conf} | There is a more detailed thread on this available in the same forum. anonymous wrote : | http://www.jboss.com/index.html?module=bb&op=viewtopic&t=66605 | | View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=334#334 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=334 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: has anyone managed to run the program in the top entry o
please provide the o/p or stack trace etc etc View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888386#3888386 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888386 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Configuration file for Loging modules NOT found
Yes this is a pretty common thing to do when you first start off with JAAS. I did the same too. I use the -D argument to the java command as below java -Djava.security.auth.login.config=conf/auth.conf This need to be under the current directory. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888334#3888334 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888334 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: has anyone managed to run the program in the top entry o
ITs more for reference. What problem are you facing excatly? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888333#3888333 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888333 --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Different Role check mechanism for EJB and Web?
I forgot to mention that I am using jboss 4.0.1 sp1 View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888149#3888149 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888149 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Different Role check mechanism for EJB and Web?
I wanted to post an interesting observation. I have a custom LoginModule implementation that I was using. In the login module I was not using the SimplePrincipal and the SimpleGroups implementations provided by JBoss. I was using custom implementation of the java.security.Principal and java.security.acl.Group interfaces. This seems to work fine for authentication of the web side but seemed to fail for the EJB. Both the web and EJBs were secured using the same domain that used my custom login module. See http://www.jboss.org/index.html?module=bb&op=viewtopic&t=67345 for my prior post. When I did a small walk through of the JBoss source code (thank heavens its open source) I found that on the web container side, the roles are checked by getting the individual principals out of the Group as Strings (using the members() method first on the group and then the getName() on each Principal in the enumeration). Basically the security interceptor gets all the roles the user belongs to as strings and then checks to see if the desired role is present or not. However, on the EJB side of things, the security interceptor directly calls the isMember() method on the Group named "Roles" found in the Subject. The argument passed to the isMember() method is of type org.jboss.security.SimplePrincipal. I was directly checking this against the Principals in my group. However, since the class of my principals were different the == was not working and I was getting SecurityExceptions thrown back during the EJB calls. I understand that my impl of the isMember() method can be seen as flawed but why does JBoss have to have confilicting mechanisms to check roles on the Web and EJB fronts? Any thoughts? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888147#3888147 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888147 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB SecurityException even though roles are present
Finally managed to fix the problem. The issue was with my implementation of java.security.acl.Group interface. In the isMember() I was checking directly the principal rather than checking principal.getName(). The RealmMapping impl used by the EJB Container checks for available roles using the isMember() method. Surprisingly the same on the web container gets all the roles as strings and then checks against the strings. Wonder why this is so. In any case I am glad I was able to fix the issue and hopefully this helps others. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888145#3888145 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888145 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB SecurityException even though roles are present
I did a little source code searching and found that the exception is thrown by the org.jboss.ejb.plugins.SecurityInterceptor. The exact piece of code that fails is | // Check if the caller is allowed to access the method | if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false) | { | // The caller is using a the caller identity | if (callerRunAsIdentity == null) | { | // Now actually check if the current caller has one of the required method roles | if (realmMapping.doesUserHaveRole(principal, methodRoles) == false) | { |Set userRoles = realmMapping.getUserRoles(principal); |String method = mi.getMethod().getName(); |BeanMetaData beanMetaData = container.getBeanMetaData(); |String msg = "Insufficient method permissions, principal=" + principal | + ", ejbName=" + beanMetaData.getEjbName() | + ", method=" + method + ", interface=" + iface | + ", requiredRoles=" + methodRoles + ", principalRoles=" + userRoles; |SecurityException e = new SecurityException(msg); |throw e; | } | } | I was unable to debug any further as RealmMapping is an interface and am not sure which Impl class is actually working durign runtime. Also what baffles me most is that the exception indicates that I am not in role but the message in the exception clearly shows that I am indeed in the role. Any pointers? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3888125#3888125 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3888125 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB SecurityException even though roles are present
Wanted to add some more details. Since the same security domain seems to work for the web application and not for the EJB, I suspect it could be some EJB config. I am positn the jboss.xml and the ejb-jar.xml here for reference. jboss.xml | | |java:/jaas/jwdomain | | | | | | | Fibo | ejb/tutorial/Fibo | | | | | | | | And the ejb-jar.xml | |Generated by XDoclet | | | | | EJB that computes Fibonacci suite | Fibo EJB | Fibo | tutorial.interfaces.FiboHome | tutorial.interfaces.Fibo | tutorial.ejb.FiboBean | Stateless | Container | | | | | | | | Secure | | | | | | Fibo | create | | | | | Secure | | Fibo | factorial | | | | Again am I missing something ? Any help is appreciated. thanks View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887959#3887959 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887959 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - EJB SecurityException even though roles are present
HI, I am doing the usual custom login module to login to the servlet and then using the servlet to access a session ejb. Both the servlet and session bean are secured by the role named "Secure". The security domain I am using is jwdomain and is set in the login-config.xml to anonymous wrote : | | | | com.netscape.jndi.ldap.LdapContextFactory | true | | | useFirstPass | | | | | Note: I am using Client Login Module as part of the security domain definition above. In the servlet I am using BASIC authentication to get the username and password. This is working fine. However when the servlet tries to access the ejb the following exception is got. anonymous wrote : | java.rmi.AccessException: SecurityException; nested exception is: | java.lang.SecurityException: Insufficient method permissions, principal=akarkala, ejbName=Fibo, method=factorial, interface=REMOTE, requiredRoles=[Secure], principalRoles=[Secure] | Note that its looking for the role "Secure" and its present in the principalRoles. Why am I still getting the exception? Any pointers? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887951#3887951 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887951 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user