Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
If by client side you mean a client running in a VM external to the JBoss server VM, then this is the expected default behavior. Multi-threaded clients need to enable the thread local storage mode of the SecurityAssociation class by either calling SecurityAssociation.setServer() or equivalently adding a multi-threaded=true option to the JAAS ClientLoginModule config: other { org.jboss.security.ClientLoginModule required multi-threaded=true ; }; - Original Message - From: Lewis Henderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 20, 2001 1:31 PM Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I tried the three new jars...I get the same problem...However, the problem is 'client' side. Using two machines, both with JBoss Embedded Tomcat, I connect my browser to machine 1 for Tomcat JSP's talking to machine 2's EJB's... My proxy on the client-side looses the SecurityAssociation as it's threads change... ...am I making sense and is there anything else I can try? Lewis -Original Message- ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I was trying to run an embedded tomcat client talking to jboss in the same VM! There is another issue to this in that you cannot have override java.security.auth.login.config for the client as the server also uses it! If I use stand-alone tomcat everything seems to work...I'm still holding my breath on this one!! It seems from the above that there needs to be two SecurityAssociations, one for the server and another for clients when using tomcat embedded... Lewis _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
So add a client configuration entry to the server auth.conf and use it for your client LoginContext creation. The current contrib/tomcat module code has two example tomcat request interceptors that integrate into the JBoss security layer. - Original Message - From: Lewis Henderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 21, 2001 1:29 PM Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I was trying to run an embedded tomcat client talking to jboss in the same VM! There is another issue to this in that you cannot have override java.security.auth.login.config for the client as the server also uses it! If I use stand-alone tomcat everything seems to work...I'm still holding my breath on this one!! It seems from the above that there needs to be two SecurityAssociations, one for the server and another for clients when using tomcat embedded... Lewis _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
Thx! When will 2.3 be available? Can I use the new jboss-jaas.jar and jbosssx.jar with 2.2.1? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark Sent: 20 May 2001 04:59 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: ...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I tried the three new jars...I get the same problem...However, the problem is 'client' side. Using two machines, both with JBoss Embedded Tomcat, I connect my browser to machine 1 for Tomcat JSP's talking to machine 2's EJB's... My proxy on the client-side looses the SecurityAssociation as it's threads change... ...am I making sense and is there anything else I can try? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lewis Henderson Sent: 20 May 2001 14:53 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Thx! When will 2.3 be available? Can I use the new jboss-jaas.jar and jbosssx.jar with 2.2.1? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark Sent: 20 May 2001 04:59 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: ...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I've found the cause of my original problem...now I need an answer... My client is multi-threaded...I login successfully on the first thread...then when another thread tries to use the remote interface (stored in the session) I get the security exception! Is this just a config issue or something deeper? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of awc Sent: 18 May 2001 22:01 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction OK, so this pipes into to what ever you have set up. Tks for the clarification. anil. Dain Sundstrom wrote: Anil, No, the code I posted simply hands login off to JAAS. You can use the JaasServerLoginModule, the DatabaseServerLoginModule, or any other login module (I wrote my own). By default JBoss 'other' context uses the JaasServerLoginModule which uses a users.properties and roles.properties files. -dain ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | | Anil, | | No, the code I posted simply hands login off to JAAS. You can use the | JaasServerLoginModule, the DatabaseServerLoginModule, or any other login | module (I wrote my own). By default JBoss 'other' context uses the | JaasServerLoginModule which uses a users.properties and roles.properties | files. | | -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all method calls in the logon action work ok as this is thread1 however when the reference is retrieved from the session by another action it (may) executes in thread2...This is where all the wheels drop off! Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 14:46 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | | Anil, | | No, the code I posted simply hands login off to JAAS. You can use the | JaasServerLoginModule, the DatabaseServerLoginModule, or any other login | module (I wrote my own). By default JBoss 'other' context uses the | JaasServerLoginModule which uses a users.properties and roles.properties | files. | | -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...this is defiantly NOT my area of expertise...how do we get this done? Are there any examples of similar stuff, or is it 'open heart surgery' ? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 15:24 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction |...I am using 'struts' with an initial logon action that connects to a |StatefulSessionBean and stores its reference in the session for use by |actions later on in the process...The initial connection and all method |calls in the logon action work ok as this is thread1 however when the |reference is retrieved from the session by another action it (may) executes |in thread2...This is where all the wheels drop off! Yes I repeat that the associations are done at the thread level and if you use another thread you don't have the associations hence your application is not authenticated. The only way around is a ITL construct in the security and transaction storages. Actions in struts are executed by independent threads??? The flow is not thread family dependent? marc | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury |Sent: 19 May 2001 14:46 |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |If the threads are spawned by a same thread, we need to implement |InheritableThreadLocal behavior and then the associations are kept in the |child threads. | |marc | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis ||Henderson ||Sent: Saturday, May 19, 2001 7:24 AM ||To: [EMAIL PROTECTED] ||Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = ||JAAS Authentiaction || || ||...I've found the cause of my original problem...now I need an answer... || ||My client is multi-threaded...I login successfully on the first ||thread...then when another thread tries to use the remote |interface (stored ||in the session) I get the security exception! || ||Is this just a config issue or something deeper? || || ||Lewis || ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of awc ||Sent: 18 May 2001 22:01 ||To: [EMAIL PROTECTED] ||Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = ||JAAS Authentiaction || || ||OK, so this pipes into to what ever you have set up. ||Tks for the clarification. || ||anil. || ||Dain Sundstrom wrote: || || Anil, || || No, the code I posted simply hands login off to JAAS. You can use the || JaasServerLoginModule, the DatabaseServerLoginModule, or any other login || module (I wrote my own). By default JBoss 'other' context uses the || JaasServerLoginModule which uses a users.properties and roles.properties || files. || || -dain || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user | | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
I don't think this is an EJB problem. Can you store any value (say a String) in the session and retrieve it later. If you cannot, you are loosing the cookie or session id on the web client. This is a common way a web server works. There is a thread pool that handle the incoming requests. The code I posted sets the user credentials for each request so your credentials extend to each thread. I'm still tired so I hope that made sense. Can you post the exception you are getting on the second request. Also, is the system reporting that your user is authenticated before each request is processes? -dain -Original Message- From: Lewis Henderson [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all method calls in the logon action work ok as this is thread1 however when the reference is retrieved from the session by another action it (may) executes in thread2...This is where all the wheels drop off! Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 14:46 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | | Anil, | | No, the code I posted simply hands login off to JAAS. You can use the | JaasServerLoginModule, the DatabaseServerLoginModule, or any other login | module (I wrote my own). By default JBoss 'other' context uses the | JaasServerLoginModule which uses a users.properties and roles.properties | files. | | -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Call) [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Ok so far) [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke() Principal [Paul] [Thread-12] DEBUG client.JBossUserContext - getUserCompoundName() returned [Paul] 15513 [Thread-12] DEBUG com.cf.rt.client.JBossUserContext - getUserCompoundName() returned [Paul] [Thread-12] DEBUG context.UserContextBean - getUserCompoundName() returned [Paul] 15513 [Thread-12] DEBUG com.cf.rt.context.UserContextBean - getUserCompoundName() returned [Paul] [Thread-10] DEBUG struts.WorkflowUser - getSelectExpression() 18507 [Thread-10] DEBUG com.cf.rt.struts.WorkflowUser - getSelectExpression() [Thread-10] DEBUG struts.WorkflowUser - getWorkItems() 18507 [Thread-10] DEBUG com.cf.rt.struts.WorkflowUser - getWorkItems() [Thread-10] DEBUG client.WfoWorkflowHelper - getWorkItems(.) 18517 [Thread-10] DEBUG com.cf.rt.client.WfoWorkflowHelper - getWorkItems(.) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Call) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Ok so far) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke() Principal [null] [WorkflowClient] Authentication exception, principal=null [WorkflowClient] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception; nested exception is: java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception [WorkflowClient] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: [WorkflowClient]java.lang.SecurityException: Authentication exception [WorkflowClient] java.lang.SecurityException: Authentication exception [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI nterceptor.java:212) [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:16 9) [WorkflowClient]at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSess ionInstanceInterceptor.java:209) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invokeNext(TxInterceptorCMT.java:133) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT. java:263) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:99) [WorkflowClient]at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:195) [WorkflowClient]at org.jboss.ejb.StatefulSessionContainer.invoke(StatefulSessionContainer.java: 326) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke(JRMPContainerI nvoker.java:482) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.interfaces.StatefulSessionProxy.invoke(StatefulSe ssionProxy.java:160) [WorkflowClient]at $Proxy17.getWorkItems(Unknown Source) [WorkflowClient]at com.cf.rt.client.WfoWorkflowHelper.getWorkItems(WfoWorkflowHelper.java:576) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Sundstrom Sent: 19 May 2001 16:20 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction I don't think this is an EJB problem. Can you store any value (say a String) in the session and retrieve it later. If you cannot, you are loosing the cookie or session id on the web client. This is a common way a web server works. There is a thread pool that handle the incoming requests. The code I posted sets the user credentials for each request so your credentials extend to each thread. I'm still tired so I hope that made sense. Can you post the exception you are getting on the second request. Also, is the system reporting that your user is authenticated before each request is processes? -dain -Original Message- From: Lewis Henderson [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all
[JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lewis Henderson Sent: 15 May 2001 17:19 To: JBoss User (E-mail) Subject: [JBoss-user] Example Servlet Connecting to EJB using JAAS Does anyone have an example of servlet connecting to an EJB in JBoss using JAAS? I have a 'struts' war file with an Action that creates a 'WorkflowClient' bean...Using a regular 'Swing' application everything works, but I get the exception below when accessed from the Action...As you can see the user has been authorised...Any help/pointers will be much appreciated... Lewis [JAASSecurity] User 'Paul' authenticated. [EmbeddedTomcat] Principal = Paul [org.jboss.security.SimplePrincipal] [EmbeddedTomcat] Group = Roles [org.jboss.security.NestableGroup] [EmbeddedTomcat]Principal = Echo [org.jboss.security.SimplePrincipal] [EmbeddedTomcat]Principal = Users [org.jboss.security.SimplePrincipal] [EmbeddedTomcat]Principal = PaulPrincipal [org.jboss.security.SimplePrincipal] [EmbeddedTomcat] Group = CallerPrincipal [org.jboss.security.NestableGroup] [Thread-13] DEBUG client.WfoWorkflowHelper - getResource(/RMI/JNDIWorkflowClient,{java.naming.provider.url=localhost:1099 , java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory, java.naming.factory.url.pkgs=org.jboss.naming, java.naming.security.principal=Paul, java.naming.security.credentials=paul}) [Thread-13] DEBUG client.WorkflowClientBean - setSessionContext(.) [WorkflowClient] Authentication exception, principal=null [WorkflowClient] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception; nested exception is: java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception [WorkflowClient] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: [WorkflowClient]java.lang.SecurityException: Authentication exception [WorkflowClient] java.lang.SecurityException: Authentication exception [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI nterceptor.java:212) [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.jav a:144) [WorkflowClient]at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(Stateful SessionInstanceInterceptor.java:99) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invokeNext(TxInterceptorCMT.java:135) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT. java:263) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:86) [WorkflowClient]at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106) [WorkflowClient]at org.jboss.ejb.StatefulSessionContainer.invokeHome(StatefulSessionContainer.j ava:311) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContai nerInvoker.java:436) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:212) [WorkflowClient]at $Proxy25.create(Unknown Source) [WorkflowClient]at com.cf.rt.client.WfoWorkflowHelper.connect(WfoWorkflowHelper.java:49) [WorkflowClient]at com.cf.rt.struts.WorkflowUser.connect(WorkflowUser.java:54) [WorkflowClient]at com.cf.rt.struts.WorkflowLogonAction.perform(WorkflowLogonAction.java:53) [WorkflowClient]at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.ja va:1726) [WorkflowClient]at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1536) [WorkflowClient]at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509) [WorkflowClient]at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) [WorkflowClient]at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) [WorkflowClient]at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404) [WorkflowClient]at org.apache.tomcat.core.Handler.service(Handler.java:286) [WorkflowClient]at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372) [WorkflowClient]at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:79 7) [WorkflowClient]at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) [WorkflowClient]at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC onnectionHandler.java:210) [WorkflowClient]at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416) [WorkflowClient]at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498) [WorkflowClient]at java.lang.Thread.run(Thread.java:484)
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
Last month I sent the following message, which details how I integrated the Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm that work similar to mine. His new JBoss realm is available in CVS (I'm not sure where) and I think will be in the next release of JBoss. I have made some minor changes since I last posted the code. Dain Sundstrom Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. target name=realm depends=compile delete file=${dist.home}/hypothermic-tomcat.jar / jar jarfile=${dist.home}/hypothermic-tomcat.jar fileset dir=${classes.home} includes=com/hypothermic/security/*.class / /jar copy file=${dist.home}/hypothermic-tomcat.jar todir=${jboss.lib}/ext / /target 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. assembly-descriptor method-permission role-nameuser/role-name method ejb-nameYourBean/ejb-name method-name*/method-name /method /method-permission /assembly-descriptor b. jboss.xml Set the authentication and authorization manager. container-configurations container-configuration container-nameStandard CMP EntityBean/container-name role-mapping-managerjava:/jaas/other/role-mapping-manager authentication-modulejava:/jaas/other/authentication-module /container-configuration /container-configurations enterprise-beans entity ejb-nameYourBean/ejb-name container-nameStandard CMP EntityBean/container-name /entity /enterprise-beans 3. Secure your WAR (web.xml) security-constraint web-resource-collection web-resource-nameutil/web-resource-name url-pattern/protected/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login.jsp/form-error-page /form-login-config /login-config 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor RequestInterceptor className=com.hypothermic.security.HypothermicRealm / You can also configure the interceptor here in the server.xml The following line turns off anonymous login. RequestInterceptor className=com.hypothermic.security.HypothermicRealm allowAnonymousLogin=false / b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom = package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
EXCELLENT 2 Birds with one stone... My problem was not quite as you answered...however I shall use this code when I secure my WebApp ! My Problem was that when I use loginContext.login() in a connection bean (Used by both Swing apps and a struts Action) to authenticate the user to enable them to access my EJBs, it worked for swing but not for action. Looking through your code I see SecurityAssociation.setPrincipal() and SecurityAssociation.setCredentials()...I did not call these !!! When I call them, after a successful login it all works!!! Question 1 Should I need to call these methods... and Question 2 SecurityAssociation and related classes are in the JBoss jars...This makes my code proprietary! (I want JAAS only!!!), how can I get round it? Lewis Thanks again, you've saved my hair ! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Sundstrom Sent: 18 May 2001 16:39 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Last month I sent the following message, which details how I integrated the Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm that work similar to mine. His new JBoss realm is available in CVS (I'm not sure where) and I think will be in the next release of JBoss. I have made some minor changes since I last posted the code. Dain Sundstrom Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. target name=realm depends=compile delete file=${dist.home}/hypothermic-tomcat.jar / jar jarfile=${dist.home}/hypothermic-tomcat.jar fileset dir=${classes.home} includes=com/hypothermic/security/*.class / /jar copy file=${dist.home}/hypothermic-tomcat.jar todir=${jboss.lib}/ext / /target 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. assembly-descriptor method-permission role-nameuser/role-name method ejb-nameYourBean/ejb-name method-name*/method-name /method /method-permission /assembly-descriptor b. jboss.xml Set the authentication and authorization manager. container-configurations container-configuration container-nameStandard CMP EntityBean/container-name role-mapping-managerjava:/jaas/other/role-mapping-manager authentication-modulejava:/jaas/other/authentication-module /container-configuration /container-configurations enterprise-beans entity ejb-nameYourBean/ejb-name container-nameStandard CMP EntityBean/container-name /entity /enterprise-beans 3. Secure your WAR (web.xml) security-constraint web-resource-collection web-resource-nameutil/web-resource-name url-pattern/protected/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login.jsp/form-error-page /form-login-config /login-config 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor RequestInterceptor className=com.hypothermic.security.HypothermicRealm / You can also configure the interceptor here in the server.xml The following line turns off anonymous login. RequestInterceptor className=com.hypothermic.security.HypothermicRealm allowAnonymousLogin=false / b
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
Anil, No, the code I posted simply hands login off to JAAS. You can use the JaasServerLoginModule, the DatabaseServerLoginModule, or any other login module (I wrote my own). By default JBoss 'other' context uses the JaasServerLoginModule which uses a users.properties and roles.properties files. -dain -Original Message- From: awc [mailto:[EMAIL PROTECTED]] Sent: Friday, May 18, 2001 12:26 PM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Dain, don't you have to add this to auth.conf (if you use PostgreSQL) org.jboss.security.plugins.samples.DatabaseServerLoginModule required dsJndiName=java:/jdbc/PostgresDB principalsQuery=select password from principals where principalid=? rolesQuery=select role, rolegroup from roles where principalid=?; or how does jboss know which db and tables to use? anil Dain Sundstrom wrote: Last month I sent the following message, which details how I integrated the Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm that work similar to mine. His new JBoss realm is available in CVS (I'm not sure where) and I think will be in the next release of JBoss. I have made some minor changes since I last posted the code. Dain Sundstrom Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. target name=realm depends=compile delete file=${dist.home}/hypothermic-tomcat.jar / jar jarfile=${dist.home}/hypothermic-tomcat.jar fileset dir=${classes.home} includes=com/hypothermic/security/*.class / /jar copy file=${dist.home}/hypothermic-tomcat.jar todir=${jboss.lib}/ext / /target 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. assembly-descriptor method-permission role-nameuser/role-name method ejb-nameYourBean/ejb-name method-name*/method-name /method /method-permission /assembly-descriptor b. jboss.xml Set the authentication and authorization manager. container-configurations container-configuration container-nameStandard CMP EntityBean/container-name role-mapping-managerjava:/jaas/other/role-mapping-manager authentication-modulejava:/jaas/other/authentication-module /container-configuration /container-configurations enterprise-beans entity ejb-nameYourBean/ejb-name container-nameStandard CMP EntityBean/container-name /entity /enterprise-beans 3. Secure your WAR (web.xml) security-constraint web-resource-collection web-resource-nameutil/web-resource-name url-pattern/protected/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login.jsp/form-error-page /form-login-config /login-config 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor RequestInterceptor className=com.hypothermic.security.HypothermicRealm / You can also configure the interceptor here in the server.xml The following line turns off anonymous login. RequestInterceptor className=com.hypothermic.security.HypothermicRealm allowAnonymousLogin=false / b. Comment out all other security interceptors (SimpleRealm JbossRealm
Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
OK, so this pipes into to what ever you have set up. Tks for the clarification. anil. Dain Sundstrom wrote: Anil, No, the code I posted simply hands login off to JAAS. You can use the JaasServerLoginModule, the DatabaseServerLoginModule, or any other login module (I wrote my own). By default JBoss 'other' context uses the JaasServerLoginModule which uses a users.properties and roles.properties files. -dain ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user