[JBoss-user] [Security JAAS/JBoss] - Re: Security for remote but not for local EJB?
Well, I've just reverted to the old way of working, where web applications have to login as well. Almost a week of searching on the web and in forums has only yielded scattered information that didn't prove to work. Thanks, for everyone who may have given this issue some thought. But the lack of proper documentation is becoming a liability for us. - Peter View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3871154#3871154 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3871154 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Security for remote but not for local EJB?
After searching some more, I stumbled upon the reference to 'unauthenticatedPrincipal'. I installed a new version of XDoclet and had this line added to jboss.xml. ?xml version=1.0 encoding=UTF-8? | !DOCTYPE jboss PUBLIC -//JBoss//DTD JBOSS 3.0//EN http://www.jboss.org/j2ee/dtd/jboss_3_0.dtd; | | jboss | |security-domainjava:/jaas/appnetauth/security-domain |unauthenticated-principalnobody/unauthenticated-principal | |enterprise-beans | | !-- |To add beans that you have deployment descriptor info for, add |a file to your XDoclet merge directory called jboss-beans.xml that contains |the session/session, entity/entity and message-driven/message-driven |markup for those beans. | -- | | session | ejb-nameejb/directory/Directory/ejb-name | jndi-nameejb/directory/DirectoryBean/jndi-name | local-jndi-nameejb/directory/DirectoryLocalBean/local-jndi-name | | /session | |/enterprise-beans | |resource-managers |/resource-managers | | !-- | | for container settings, you can merge in jboss-container.xml | | this can contain invoker-proxy-bindings/ and container-configurations/ | -- | | /jboss However, I still get an error that the client is not authenticated and that the principal is null: 11:10:42,298 ERROR [Engine] - Root Cause - | javax.servlet.ServletException: class vodafonemalta.directory.web.QueryBean : javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: | Authentication exception, principal=null | at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:536) | at org.apache.jsp.index_jsp._jspService(index_jsp.java:180) | ... I'll continue looking, but I'd appreciate any help. The issue is quite pressing because of my holiday that starts less than two days from now... Thanks again, - Peter View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3870931#3870931 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3870931 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Security for remote but not for local EJB?
Read the unauthenticatedIdentity option on the jboss login modules. This combined with unchecked method permissions on the local interfaces will allow for unrestricted local access and secured remote access. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3870976#3870976 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3870976 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Security for remote but not for local EJB?
Hi Scott, Thanks for your reply. However, I'm missing some essential bit of information to understand the problem. I've read about unauthenticatedIdentity and unauthenticatedPrincipal, but tweaking with these has not led to solving the issue: I keep getting the checkSecurityAssociation ... principal=null exception. Here's the relevant part of my login.conf: application-policy name=appnetauth flag=required | unauthenticatedIdentity=nobody | authentication | login-module code=mt.com.vodafone.appnet.jaas.JBossAppnetLoginModule flag=required | module-option name=appNetURLhttps://192.168.4.133/appnet/RequestProcessor/module-option | module-option name=appNetReferenceDIRECTORY/module-option | module-option name=isApplicationClienttrue/module-option | /login-module | /authentication | /application-policy | | !-- The default login configuration used by any security domain that | does not have a application-policy entry with a matching name | -- | application-policy name = other |!-- A simple server login module, which can be used when the number |of users is relatively small. It uses two properties files: |users.properties, which holds users (key) and their password (value). |roles.properties, which holds users (key) and a comma-separated list of |their roles (value). |The unauthenticatedIdentity property defines the name of the principal |that will be used when a null username and password are presented as is |the case for an unuathenticated web client or MDB. If you want to |allow such users to be authenticated add the property, e.g., |unauthenticatedIdentity=nobody |-- | authentication | login-module code = org.jboss.security.auth.spi.UsersRolesLoginModule | flag = required | unauthenticatedIdentity=nobody / |/authentication | /application-policy I feel a bit silly putting that 'unauthenticatedIdentity' option in my own login module configuration, but as I said, I'm at a loss. This is the relevant part of the ejb-jar.xml file: method-permission | description[CDATA[description not supported yet by ejbdoclet]]/description | unchecked/ | method | description[CDATA[Invoked when a client makes a connection to the EJB container and this bean gets created.]]/description | ejb-nameejb/directory/Directory/ejb-name | method-intfLocalHome/method-intf | method-namecreate/method-name | method-params | /method-params | /method |/method-permission |method-permission | description[CDATA[description not supported yet by ejbdoclet]]/description | unchecked/ | method | description[CDATA[Invoked when a client makes a connection to the EJB container and this bean gets created.]]/description | ejb-nameejb/directory/Directory/ejb-name | method-intfHome/method-intf | method-namecreate/method-name | method-params | /method-params | /method |/method-permission So the create() methods of both the local and remote interfaces are unchecked (a result of using XDoclet). The JBoss version is 3.2.1, which is running fine (following the credo if it ain't broke, don't fix it). Thanks again, - Peter View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3871003#3871003 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3871003 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Security for remote but not for local EJB?
OK, that piece of XML is totally incorrect, but this application-policy name=appnetauth |authentication | login-module code=mt.com.vodafone.appnet.jaas.JBossAppnetLoginModule | flag=required | module-option name=appNetURLhttps://192.168.4.133/appnet/RequestProcessor/module-option | module-option name=appNetReferenceDIRECTORY/module-option | module-option name=isApplicationClienttrue/module-option | module-option name=unauthenticatedIdentitynobody/module-option | /login-module |/authentication | /application-policy | | !-- The default login configuration used by any security domain that | does not have a application-policy entry with a matching name | -- | application-policy name = other |!-- A simple server login module, which can be used when the number |of users is relatively small. It uses two properties files: |users.properties, which holds users (key) and their password (value). |roles.properties, which holds users (key) and a comma-separated list of |their roles (value). |The unauthenticatedIdentity property defines the name of the principal |that will be used when a null username and password are presented as is |the case for an unuathenticated web client or MDB. If you want to |allow such users to be authenticated add the property, e.g., |unauthenticatedIdentity=nobody |-- |authentication | login-module code = org.jboss.security.auth.spi.UsersRolesLoginModule | flag = required | module-option name=unauthenticatedIdentitynobody/module-option | /login-module |/authentication | /application-policy doesn't work either. Could you please guide me into the right direction? It must be something obvious that I'm missing, but I'm failing to see it. Thanks, - Peter View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3871010#3871010 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3871010 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
