[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security issue with remote client
I think you ahve not enabled security for the ejb-app. What does the jboss.xml say? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3916022#3916022 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3916022 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: ejb security
Start with the JAAS Howto post in this forum. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3863865#3863865 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3863865 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB Security
Maybe it's possible for you to use a filter instead of a servlet. (servlet2.3 specs). The filter is always executed before handling the request in a servlet. I though you can filter you're request before it's authenticated by Tomcat/JBoss but than again I think the authentication is executed before the filter so it wouldn't help, but maybe you can use it. I think it's worth looking at. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3842118#3842118 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3842118 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB Security
fixed View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3842096#3842096 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3842096 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB Security
Is there no way to explicitly set the principal in the ejb tier..i.e. set credentials in the context p.put(Context.SECURITY_PRINCIPAL, "admin"); p.put(Context.SECURITY_CREDENTIALS, "adminpass"); or some other way ? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841932#3841932 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841932 --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB Security
Thanks for your reply! Yes, the login.jsp is from my web application. I wouldn't like to authenticate through web application because i have to specify the LoginModule at the deployment descriptor. This is a problem to my application because it can authenticate users with diferent databases. Depending upon the database (datasource) id (i will pass this id as a servlet parameter), the servlet should get the id and identify the loginModule to use. For example: if the database id is 001, the servlet authenticate users with DS1 (application-policy=framework), and if the id is 002, the servlet uses DS2 (application-policy=framework2) but it decides what application policy to use at runtime. Using the login inside the servlet, i can set the name to LoginModule.but, i have the problem you stated: my login is only for web container Isn' t there a way to authenticate ejb independently from the web application?? Anyway, I will see the JBossSecurityMngRealm.java. Thanks again! View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841927#3841927 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841927 --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB Security
You perform the authentication / authorization within the web application environment and not in the ejb application environment. So your principal is only available inside your webserver (tomcat) and not in the ejb application environment. If you don't want security in your webapplication how do you want to retieve the username/password? In you example you still use a login.jsp which comes from your webapplication I suppose. So why not just use the j_security_check then your Principal is both available in the web and ejb environment. Otherwise take a look at the source code of JBossSecurityMngRealm.java cause this is the realm that couples Tomcat to JBoss. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841916#3841916 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841916 --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
Great! This fixes the problem for me. Thank you. http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827399#3827399";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3827399>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
| // Standard | MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0); | // Or jboss specific | MBeanServer server = MBeanServerLocator.locateJBoss(); | | // Standard MBeanServer usage | ObjectName name = ...; | String opName = "..."; | Object[] args = {...}; | String[] sig = {...}; | server.invoke(name, opName, args, sig) | http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827336#3827336";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3827336>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
I have exactly the same problem. I started upgrading to 3.2.3 this week. The application works well except for Session Beans making JMX calls with RMIAdaptor. The security principal gets cleared. | Context ic = new InitialContext(); | org.jboss.jmx.adaptor.rmi.RMIAdaptor server = (org.jboss.jmx.adaptor.rmi.RMIAdaptor) ic.lookup("jmx/rmi/RMIAdaptor"); | ObjectName name = new ObjectName(myMBeanName); | myAnswer = server.invoke(name, "askQuestion", new Object[] {}, new String[] {}); | Is there a better way to make JMX calls? Philippe http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827304#3827304";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3827304>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
Hi Scott, Looking at one of the recent questions about clearing SecurityAssociation when invoking JMX, I've finally identified the problem. I'm using JMX all over the place in our custom logging framework (using an RMIAdaptor call), but I couldn't even think about it as a cause of the problem, as in the case shown before it's been used in ejbCreate() method, very indirectly. When I commented out all Logging Service calls, it eliminated the problem. So the solution for me will be to change the way of JMX invocation. By the way, what is the preferred way for JBoss to retrieve MBeanServer reference? Is it safe (in terms of compatibility with future versions of JBoss) to use a call like: org.jboss.mx.util.MBeanServerLocator.locateJBoss() ? Thank you very much for your help. Stan. http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827043#3827043";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3827043>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
Something is clearing the security association between the two ejbs then. Hack the org.jboss.security.SecurityAssociation to print a stack trace of who is calling clear or setPrincipal/setCredential with null values, or use a debugger to find this out. http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826916#3826916";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826916>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
Hi Scott, This is the full stack trace: | 2004-03-19 09:15:38,590 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy: | java.lang.SecurityException: Authentication exception, principal=null | at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:164) | at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81) | at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120) | at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93) | at org.jboss.ejb.EntityContainer.internalInvokeHome(EntityContainer.java:483) | at org.jboss.ejb.Container.invoke(Container.java:720) | at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:293) | at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110) | at $Proxy728.findByUserId(Unknown Source) | at com.smth.wipe.alm.object.task.ejb.TaskFacadeSL.getTaskList(TaskFacadeSL.java:204) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) | at java.lang.reflect.Method.invoke(Method.java:324) | at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:683) | at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:185) | at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:72) | at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84) | at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:267) | at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:128) | at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:118) | at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191) | at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122) | at org.jboss.ejb.StatelessSessionContainer.internalInvoke(StatelessSessionContainer.java:331) | at org.jboss.ejb.Container.invoke(Container.java:700) | at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:375) | at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:83) | at $Proxy881.getTaskList(Unknown Source) | at com.smth.wipe.alm.web.actions.TaskAction.performListAction(TaskAction.java:115) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) | at java.lang.reflect.Method.invoke(Method.java:324) | at com.smth.webframework.controller.Action.execute(Action.java:95) | at com.smth.webframework.controller.ActionCache.executeAction(ActionCache.java:66) | at com.smth.webframework.controller.RequestProcessor.processAction(RequestProcessor.java:371) | at com.smth.webframework.controller.RequestProcessor.process(RequestProcessor.java:105) | at com.smth.webframework.controller.FrontController.process(FrontController.java:159) | at com.smth.webframework.controller.FrontController.doGet(FrontController.java:129) | at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) | at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) | at com.smth.portal.security.web.impl.PortalSessionFilterImpl.doFilter(PortalSessionFilterImpl.java:99) | at com.smth.portal.security.web.PortalSessionFilter.doFilter(PortalSessionFilter.java:29) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) | at com.smth.wipe.alm.web.FileUploadFilter.doFilter(FileUploadFilter.java:86) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256) | at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeli
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB security propagation issue when moving from JBoss 3.
The descriptors won't be of any help. You have to post the full stack trace of the security exception to see what invocation layers are involved. If you have an example ear that demonstrates the problem create bug report on sourceforge and attach the ear to the report. http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826744#3826744";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826744>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: EJB Security across different servers
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3821377#3821377 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3821377 That fixes it - thanks Paul. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user