[JBoss-user] [Security & JAAS/JBoss] - Re: Fundamental performance problem with JaasSecurityManager
Hey, Nothing to do with the issue presented but we also had several performance problems with the login phase and we simply used 2 different approaches for the login strategy. First login using standard user/password login with costly database lookup of credentials, principals etc. In this login we generate a session id that is used to automatically lookup the cached logged credentials in another loginmodule for the rest of the client logins. In this way we somehow overule the need to create a different login module for each login attempt. Hope this helps. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3859031#3859031 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3859031 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Passing login failure cause to the client side
Hello,
I have the same problem getting the exact exception cause on the client side.
If you are lucky your client will run on the same VM that the logincontext
does. In that case you might use
Object exception =
org.jboss.security.SecurityAssociation.getContextInfo("org.jboss.security.exception");
System.out.println("exception:"+exception);
The exception obtained is the original exception thrown by the LoginModule and
you can insert your own code based upon that exception (rethrow it for example).
In my case i use ejb services accessed from a remote machine and that exception
is not available on the remote client :(.
As requested by Scott i have opened a Jira requesting this feature for the
client. Please vote for it so that they can correct it.
http://jira.jboss.com/jira/browse/JBAS-47
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3858748#3858748
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3858748
---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: CredentialsExpired and AccountExpired exception
Scott,
I agree that the exception is available from SecurityAdapter, but only inside
the same VM :(.
Im using ClientLoginModule from a client standalone application and the
exception is not propagated back to the client.
This is to say:
Object exception =
SecurityAssociation.getContextInfo("org.jboss.security.exception");
System.out.println("exception:"+exception);
Always returns null on the client side.
I agree that security manager doesnt allow for standard exception propagation
but i need a way to send the state back to client.
What would you think about the following modification on SecurityInterceptor
(line 150)
// Check the security info from the method invocation
if (securityManager.isValid(principal, credential) == false)
{
Object exception =
SecurityAssociation.getContextInfo(AUTH_EXCEPTION_KEY);
if(exception!=null){
//LoginException exception on internal JAAS login
module. reThrow.
log.error("Internal JAAS LoginException "+exception);
throw (Exception) exception;
}
String msg = "Authentication exception, principal=" + principal;
log.error(msg);
SecurityException e = new SecurityException(msg);
throw e;
}
The only problem i find is that LoginException does not extend from
SecurityException but from GeneralSecurityException which is checked :(. Maybe
another approach would be to use SecurityException as a wrapper for the JAAS
exception.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3858055#3858055
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3858055
---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: CredentialsExpired and AccountExpired exception
With a bit more research i have found the following lines of code on
org.jboss.ejb.plugins.SecurityInterceptor
Starting on line 150.
// Check the security info from the method invocation
if (securityManager.isValid(principal, credential) == false)
{
String msg = "Authentication exception, principal=" + principal;
log.error(msg);
SecurityException e = new SecurityException(msg);
throw e;
}
Seems like no matter whatever happens on LoginModule the exception thrown will
be SecurityException :(.
Is this a design decision or just something on the TODO?
The JBoss version im using is 3.2.6
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3857303#3857303
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3857303
---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - CredentialsExpired and AccountExpired exception
Im trying to integrate a new authorization system through spring loginmodules by extending AbstractServerLoginModule. Everything works perfectly up to the point where I try to test CredentialExpired exceptions and AccountExpiredException. Then, no matter the security exception thrown the client always get the same plain securityExecption with no other information. Is there any way to get the exact cause of the SecurityException? Im using LocalClientLoginModule to access a remote EJB whose methods are protected. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3857300#3857300 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3857300 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
