[JBoss-user] [Security & JAAS/JBoss] - Re: Fundamental performance problem with JaasSecurityManager
Hey, Nothing to do with the issue presented but we also had several performance problems with the login phase and we simply used 2 different approaches for the login strategy. First login using standard user/password login with costly database lookup of credentials, principals etc. In this login we generate a session id that is used to automatically lookup the cached logged credentials in another loginmodule for the rest of the client logins. In this way we somehow overule the need to create a different login module for each login attempt. Hope this helps. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3859031#3859031 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3859031 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Passing login failure cause to the client side
Hello, I have the same problem getting the exact exception cause on the client side. If you are lucky your client will run on the same VM that the logincontext does. In that case you might use Object exception = org.jboss.security.SecurityAssociation.getContextInfo("org.jboss.security.exception"); System.out.println("exception:"+exception); The exception obtained is the original exception thrown by the LoginModule and you can insert your own code based upon that exception (rethrow it for example). In my case i use ejb services accessed from a remote machine and that exception is not available on the remote client :(. As requested by Scott i have opened a Jira requesting this feature for the client. Please vote for it so that they can correct it. http://jira.jboss.com/jira/browse/JBAS-47 View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3858748#3858748 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3858748 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: CredentialsExpired and AccountExpired exception
Scott, I agree that the exception is available from SecurityAdapter, but only inside the same VM :(. Im using ClientLoginModule from a client standalone application and the exception is not propagated back to the client. This is to say: Object exception = SecurityAssociation.getContextInfo("org.jboss.security.exception"); System.out.println("exception:"+exception); Always returns null on the client side. I agree that security manager doesnt allow for standard exception propagation but i need a way to send the state back to client. What would you think about the following modification on SecurityInterceptor (line 150) // Check the security info from the method invocation if (securityManager.isValid(principal, credential) == false) { Object exception = SecurityAssociation.getContextInfo(AUTH_EXCEPTION_KEY); if(exception!=null){ //LoginException exception on internal JAAS login module. reThrow. log.error("Internal JAAS LoginException "+exception); throw (Exception) exception; } String msg = "Authentication exception, principal=" + principal; log.error(msg); SecurityException e = new SecurityException(msg); throw e; } The only problem i find is that LoginException does not extend from SecurityException but from GeneralSecurityException which is checked :(. Maybe another approach would be to use SecurityException as a wrapper for the JAAS exception. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3858055#3858055 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3858055 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: CredentialsExpired and AccountExpired exception
With a bit more research i have found the following lines of code on org.jboss.ejb.plugins.SecurityInterceptor Starting on line 150. // Check the security info from the method invocation if (securityManager.isValid(principal, credential) == false) { String msg = "Authentication exception, principal=" + principal; log.error(msg); SecurityException e = new SecurityException(msg); throw e; } Seems like no matter whatever happens on LoginModule the exception thrown will be SecurityException :(. Is this a design decision or just something on the TODO? The JBoss version im using is 3.2.6 View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3857303#3857303 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3857303 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - CredentialsExpired and AccountExpired exception
Im trying to integrate a new authorization system through spring loginmodules by extending AbstractServerLoginModule. Everything works perfectly up to the point where I try to test CredentialExpired exceptions and AccountExpiredException. Then, no matter the security exception thrown the client always get the same plain securityExecption with no other information. Is there any way to get the exact cause of the SecurityException? Im using LocalClientLoginModule to access a remote EJB whose methods are protected. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3857300#3857300 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3857300 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user