Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
If by client side you mean a client running in a VM external to the JBoss
server VM, then this is the expected default behavior. Multi-threaded clients
need to enable the thread local storage mode of the SecurityAssociation
class by either calling SecurityAssociation.setServer() or equivalently
adding a multi-threaded=true option to the JAAS ClientLoginModule config:
other {
org.jboss.security.ClientLoginModule required multi-threaded=true ;
};
- Original Message -
From: Lewis Henderson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, May 20, 2001 1:31 PM
Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS
Authentiaction
...I tried the three new jars...I get the same problem...However, the
problem is 'client' side.
Using two machines, both with JBoss Embedded Tomcat, I connect my browser
to machine 1 for Tomcat JSP's talking to machine 2's EJB's...
My proxy on the client-side looses the SecurityAssociation as it's threads
change...
...am I making sense and is there anything else I can try?
Lewis
-Original Message-
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I was trying to run an embedded tomcat client talking to jboss in the same VM! There is another issue to this in that you cannot have override java.security.auth.login.config for the client as the server also uses it! If I use stand-alone tomcat everything seems to work...I'm still holding my breath on this one!! It seems from the above that there needs to be two SecurityAssociations, one for the server and another for clients when using tomcat embedded... Lewis _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
So add a client configuration entry to the server auth.conf and use it for your client LoginContext creation. The current contrib/tomcat module code has two example tomcat request interceptors that integrate into the JBoss security layer. - Original Message - From: Lewis Henderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 21, 2001 1:29 PM Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I was trying to run an embedded tomcat client talking to jboss in the same VM! There is another issue to this in that you cannot have override java.security.auth.login.config for the client as the server also uses it! If I use stand-alone tomcat everything seems to work...I'm still holding my breath on this one!! It seems from the above that there needs to be two SecurityAssociations, one for the server and another for clients when using tomcat embedded... Lewis _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
Thx! When will 2.3 be available? Can I use the new jboss-jaas.jar and jbosssx.jar with 2.2.1? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark Sent: 20 May 2001 04:59 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: ...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I tried the three new jars...I get the same problem...However, the problem is 'client' side. Using two machines, both with JBoss Embedded Tomcat, I connect my browser to machine 1 for Tomcat JSP's talking to machine 2's EJB's... My proxy on the client-side looses the SecurityAssociation as it's threads change... ...am I making sense and is there anything else I can try? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lewis Henderson Sent: 20 May 2001 14:53 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Thx! When will 2.3 be available? Can I use the new jboss-jaas.jar and jbosssx.jar with 2.2.1? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark Sent: 20 May 2001 04:59 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: ...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I've found the cause of my original problem...now I need an answer... My client is multi-threaded...I login successfully on the first thread...then when another thread tries to use the remote interface (stored in the session) I get the security exception! Is this just a config issue or something deeper? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of awc Sent: 18 May 2001 22:01 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction OK, so this pipes into to what ever you have set up. Tks for the clarification. anil. Dain Sundstrom wrote: Anil, No, the code I posted simply hands login off to JAAS. You can use the JaasServerLoginModule, the DatabaseServerLoginModule, or any other login module (I wrote my own). By default JBoss 'other' context uses the JaasServerLoginModule which uses a users.properties and roles.properties files. -dain ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | | Anil, | | No, the code I posted simply hands login off to JAAS. You can use the | JaasServerLoginModule, the DatabaseServerLoginModule, or any other login | module (I wrote my own). By default JBoss 'other' context uses the | JaasServerLoginModule which uses a users.properties and roles.properties | files. | | -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all method calls in the logon action work ok as this is thread1 however when the reference is retrieved from the session by another action it (may) executes in thread2...This is where all the wheels drop off! Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 14:46 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | | Anil, | | No, the code I posted simply hands login off to JAAS. You can use the | JaasServerLoginModule, the DatabaseServerLoginModule, or any other login | module (I wrote my own). By default JBoss 'other' context uses the | JaasServerLoginModule which uses a users.properties and roles.properties | files. | | -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...this is defiantly NOT my area of expertise...how do we get this done? Are there any examples of similar stuff, or is it 'open heart surgery' ? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 15:24 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction |...I am using 'struts' with an initial logon action that connects to a |StatefulSessionBean and stores its reference in the session for use by |actions later on in the process...The initial connection and all method |calls in the logon action work ok as this is thread1 however when the |reference is retrieved from the session by another action it (may) executes |in thread2...This is where all the wheels drop off! Yes I repeat that the associations are done at the thread level and if you use another thread you don't have the associations hence your application is not authenticated. The only way around is a ITL construct in the security and transaction storages. Actions in struts are executed by independent threads??? The flow is not thread family dependent? marc | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury |Sent: 19 May 2001 14:46 |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |If the threads are spawned by a same thread, we need to implement |InheritableThreadLocal behavior and then the associations are kept in the |child threads. | |marc | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis ||Henderson ||Sent: Saturday, May 19, 2001 7:24 AM ||To: [EMAIL PROTECTED] ||Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = ||JAAS Authentiaction || || ||...I've found the cause of my original problem...now I need an answer... || ||My client is multi-threaded...I login successfully on the first ||thread...then when another thread tries to use the remote |interface (stored ||in the session) I get the security exception! || ||Is this just a config issue or something deeper? || || ||Lewis || ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of awc ||Sent: 18 May 2001 22:01 ||To: [EMAIL PROTECTED] ||Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = ||JAAS Authentiaction || || ||OK, so this pipes into to what ever you have set up. ||Tks for the clarification. || ||anil. || ||Dain Sundstrom wrote: || || Anil, || || No, the code I posted simply hands login off to JAAS. You can use the || JaasServerLoginModule, the DatabaseServerLoginModule, or any other login || module (I wrote my own). By default JBoss 'other' context uses the || JaasServerLoginModule which uses a users.properties and roles.properties || files. || || -dain || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user | | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
I don't think this is an EJB problem. Can you store any value (say a String) in the session and retrieve it later. If you cannot, you are loosing the cookie or session id on the web client. This is a common way a web server works. There is a thread pool that handle the incoming requests. The code I posted sets the user credentials for each request so your credentials extend to each thread. I'm still tired so I hope that made sense. Can you post the exception you are getting on the second request. Also, is the system reporting that your user is authenticated before each request is processes? -dain -Original Message- From: Lewis Henderson [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all method calls in the logon action work ok as this is thread1 however when the reference is retrieved from the session by another action it (may) executes in thread2...This is where all the wheels drop off! Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 14:46 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | | Anil, | | No, the code I posted simply hands login off to JAAS. You can use the | JaasServerLoginModule, the DatabaseServerLoginModule, or any other login | module (I wrote my own). By default JBoss 'other' context uses the | JaasServerLoginModule which uses a users.properties and roles.properties | files. | | -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Call) [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Ok so far) [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke() Principal [Paul] [Thread-12] DEBUG client.JBossUserContext - getUserCompoundName() returned [Paul] 15513 [Thread-12] DEBUG com.cf.rt.client.JBossUserContext - getUserCompoundName() returned [Paul] [Thread-12] DEBUG context.UserContextBean - getUserCompoundName() returned [Paul] 15513 [Thread-12] DEBUG com.cf.rt.context.UserContextBean - getUserCompoundName() returned [Paul] [Thread-10] DEBUG struts.WorkflowUser - getSelectExpression() 18507 [Thread-10] DEBUG com.cf.rt.struts.WorkflowUser - getSelectExpression() [Thread-10] DEBUG struts.WorkflowUser - getWorkItems() 18507 [Thread-10] DEBUG com.cf.rt.struts.WorkflowUser - getWorkItems() [Thread-10] DEBUG client.WfoWorkflowHelper - getWorkItems(.) 18517 [Thread-10] DEBUG com.cf.rt.client.WfoWorkflowHelper - getWorkItems(.) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Call) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Ok so far) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke() Principal [null] [WorkflowClient] Authentication exception, principal=null [WorkflowClient] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception; nested exception is: java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception [WorkflowClient] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: [WorkflowClient]java.lang.SecurityException: Authentication exception [WorkflowClient] java.lang.SecurityException: Authentication exception [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI nterceptor.java:212) [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:16 9) [WorkflowClient]at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSess ionInstanceInterceptor.java:209) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invokeNext(TxInterceptorCMT.java:133) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT. java:263) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:99) [WorkflowClient]at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:195) [WorkflowClient]at org.jboss.ejb.StatefulSessionContainer.invoke(StatefulSessionContainer.java: 326) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke(JRMPContainerI nvoker.java:482) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.interfaces.StatefulSessionProxy.invoke(StatefulSe ssionProxy.java:160) [WorkflowClient]at $Proxy17.getWorkItems(Unknown Source) [WorkflowClient]at com.cf.rt.client.WfoWorkflowHelper.getWorkItems(WfoWorkflowHelper.java:576) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Sundstrom Sent: 19 May 2001 16:20 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction I don't think this is an EJB problem. Can you store any value (say a String) in the session and retrieve it later. If you cannot, you are loosing the cookie or session id on the web client. This is a common way a web server works. There is a thread pool that handle the incoming requests. The code I posted sets the user credentials for each request so your credentials extend to each thread. I'm still tired so I hope that made sense. Can you post the exception you are getting on the second request. Also, is the system reporting that your user is authenticated before each request is processes? -dain -Original Message- From: Lewis Henderson [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction ...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
Last month I sent the following message, which details how I integrated the
Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm
that work similar to mine. His new JBoss realm is available in CVS (I'm not
sure where) and I think will be in the next release of JBoss.
I have made some minor changes since I last posted the code.
Dain Sundstrom
Recently, I have seen several posts asking how to integrate Tomcat and JBoss
security. The current JBossRealm requires you to add users to both the
tomcat and JBoss security systems or configure the tomcat JDBCRealm and
JBoss DatabaseServerLoginModule to point to the same database table. This
is all a big pain, so I wrote a new Tomcat interceptor which performs
authentication and authorization via the JBoss JAAS code. The steps
required to setup this interceptor follow.
1. Create the jar
a. Copy the code (later in message) onto your machine. You can
change the package if you like.
b. Compile (requires servlet.jar webserver.jar jaas.jar
jboss-jaas.jar jbosssx.jar)
c. Jar it
d. Copy it to jboss/lib/ext
Here is the ant target I use.
target name=realm depends=compile
delete file=${dist.home}/hypothermic-tomcat.jar /
jar jarfile=${dist.home}/hypothermic-tomcat.jar
fileset dir=${classes.home}
includes=com/hypothermic/security/*.class /
/jar
copy file=${dist.home}/hypothermic-tomcat.jar
todir=${jboss.lib}/ext /
/target
2. Secure your EJBs.
a. ejb-jar.xml Mark your EJBs as protected.
assembly-descriptor
method-permission
role-nameuser/role-name
method
ejb-nameYourBean/ejb-name
method-name*/method-name
/method
/method-permission
/assembly-descriptor
b. jboss.xml Set the authentication and authorization manager.
container-configurations
container-configuration
container-nameStandard CMP
EntityBean/container-name
role-mapping-managerjava:/jaas/other/role-mapping-manager
authentication-modulejava:/jaas/other/authentication-module
/container-configuration
/container-configurations
enterprise-beans
entity
ejb-nameYourBean/ejb-name
container-nameStandard CMP
EntityBean/container-name
/entity
/enterprise-beans
3. Secure your WAR (web.xml)
security-constraint
web-resource-collection
web-resource-nameutil/web-resource-name
url-pattern/protected/*/url-pattern
/web-resource-collection
auth-constraint
role-nameuser/role-name
/auth-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login.jsp/form-error-page
/form-login-config
/login-config
4. Setup Tomcat
a. add interceptor to server.xml immediately before the
LoadOnStartupInterceptor
RequestInterceptor
className=com.hypothermic.security.HypothermicRealm /
You can also configure the interceptor here in the server.xml
The following line turns off anonymous login.
RequestInterceptor
className=com.hypothermic.security.HypothermicRealm
allowAnonymousLogin=false /
b. Comment out all other security interceptors (SimpleRealm
JbossRealm JDBCRealm).
5. Add your users to JBoss
I hope I didn't leave out any steps. If you find any bugs or have any
enhancements, please email me.
-Dain Sundstrom
=
package com.hypothermic.security;
import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;
import org.apache.tomcat.core.Context;
import org.apache.tomcat.util.SecurityTools;
import org.apache.tomcat.core.BaseInterceptor;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.UsernamePasswordHandler;
import javax.servlet.http.HttpSession;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
EXCELLENT 2 Birds with one stone...
My problem was not quite as you answered...however
I shall use this code when I secure my WebApp !
My Problem was that when I use loginContext.login() in a connection bean
(Used by both Swing apps and a struts Action) to authenticate the user to
enable them to access my EJBs, it worked for swing but not for action.
Looking through your code I see SecurityAssociation.setPrincipal() and
SecurityAssociation.setCredentials()...I did not call these !!! When I call
them, after a successful login it all works!!!
Question 1
Should I need to call these methods... and
Question 2
SecurityAssociation and related classes are in the JBoss jars...This makes
my code proprietary! (I want JAAS only!!!), how can I get round it?
Lewis
Thanks again, you've saved my hair !
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dain
Sundstrom
Sent: 18 May 2001 16:39
To: '[EMAIL PROTECTED]'
Subject: RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB =
JAAS Authentiaction
Last month I sent the following message, which details how I integrated the
Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm
that work similar to mine. His new JBoss realm is available in CVS (I'm not
sure where) and I think will be in the next release of JBoss.
I have made some minor changes since I last posted the code.
Dain Sundstrom
Recently, I have seen several posts asking how to integrate Tomcat and JBoss
security. The current JBossRealm requires you to add users to both the
tomcat and JBoss security systems or configure the tomcat JDBCRealm and
JBoss DatabaseServerLoginModule to point to the same database table. This
is all a big pain, so I wrote a new Tomcat interceptor which performs
authentication and authorization via the JBoss JAAS code. The steps
required to setup this interceptor follow.
1. Create the jar
a. Copy the code (later in message) onto your machine. You can
change the package if you like.
b. Compile (requires servlet.jar webserver.jar jaas.jar
jboss-jaas.jar jbosssx.jar)
c. Jar it
d. Copy it to jboss/lib/ext
Here is the ant target I use.
target name=realm depends=compile
delete file=${dist.home}/hypothermic-tomcat.jar /
jar jarfile=${dist.home}/hypothermic-tomcat.jar
fileset dir=${classes.home}
includes=com/hypothermic/security/*.class /
/jar
copy file=${dist.home}/hypothermic-tomcat.jar
todir=${jboss.lib}/ext /
/target
2. Secure your EJBs.
a. ejb-jar.xml Mark your EJBs as protected.
assembly-descriptor
method-permission
role-nameuser/role-name
method
ejb-nameYourBean/ejb-name
method-name*/method-name
/method
/method-permission
/assembly-descriptor
b. jboss.xml Set the authentication and authorization manager.
container-configurations
container-configuration
container-nameStandard CMP
EntityBean/container-name
role-mapping-managerjava:/jaas/other/role-mapping-manager
authentication-modulejava:/jaas/other/authentication-module
/container-configuration
/container-configurations
enterprise-beans
entity
ejb-nameYourBean/ejb-name
container-nameStandard CMP
EntityBean/container-name
/entity
/enterprise-beans
3. Secure your WAR (web.xml)
security-constraint
web-resource-collection
web-resource-nameutil/web-resource-name
url-pattern/protected/*/url-pattern
/web-resource-collection
auth-constraint
role-nameuser/role-name
/auth-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login.jsp/form-error-page
/form-login-config
/login-config
4. Setup Tomcat
a. add interceptor to server.xml immediately before the
LoadOnStartupInterceptor
RequestInterceptor
className=com.hypothermic.security.HypothermicRealm /
You can also configure the interceptor here in the server.xml
The following line turns off anonymous login.
RequestInterceptor
className=com.hypothermic.security.HypothermicRealm
allowAnonymousLogin=false /
b
RE: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
Anil,
No, the code I posted simply hands login off to JAAS. You can use the
JaasServerLoginModule, the DatabaseServerLoginModule, or any other login
module (I wrote my own). By default JBoss 'other' context uses the
JaasServerLoginModule which uses a users.properties and roles.properties
files.
-dain
-Original Message-
From: awc [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 18, 2001 12:26 PM
To: [EMAIL PROTECTED]
Subject: Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB =
JAAS Authentiaction
Dain, don't you have to add this to auth.conf (if you use PostgreSQL)
org.jboss.security.plugins.samples.DatabaseServerLoginModule required
dsJndiName=java:/jdbc/PostgresDB principalsQuery=select password from
principals where principalid=? rolesQuery=select role, rolegroup from
roles
where principalid=?;
or how does jboss know which db and tables to use?
anil
Dain Sundstrom wrote:
Last month I sent the following message, which details how I integrated
the
Tomcat and JBoss security systems. Scott Stark has written a new JBoss
realm
that work similar to mine. His new JBoss realm is available in CVS (I'm
not
sure where) and I think will be in the next release of JBoss.
I have made some minor changes since I last posted the code.
Dain Sundstrom
Recently, I have seen several posts asking how to integrate Tomcat and
JBoss
security. The current JBossRealm requires you to add users to both the
tomcat and JBoss security systems or configure the tomcat JDBCRealm and
JBoss DatabaseServerLoginModule to point to the same database table. This
is all a big pain, so I wrote a new Tomcat interceptor which performs
authentication and authorization via the JBoss JAAS code. The steps
required to setup this interceptor follow.
1. Create the jar
a. Copy the code (later in message) onto your machine. You can
change the package if you like.
b. Compile (requires servlet.jar webserver.jar jaas.jar
jboss-jaas.jar jbosssx.jar)
c. Jar it
d. Copy it to jboss/lib/ext
Here is the ant target I use.
target name=realm depends=compile
delete file=${dist.home}/hypothermic-tomcat.jar /
jar jarfile=${dist.home}/hypothermic-tomcat.jar
fileset dir=${classes.home}
includes=com/hypothermic/security/*.class /
/jar
copy file=${dist.home}/hypothermic-tomcat.jar
todir=${jboss.lib}/ext /
/target
2. Secure your EJBs.
a. ejb-jar.xml Mark your EJBs as protected.
assembly-descriptor
method-permission
role-nameuser/role-name
method
ejb-nameYourBean/ejb-name
method-name*/method-name
/method
/method-permission
/assembly-descriptor
b. jboss.xml Set the authentication and authorization manager.
container-configurations
container-configuration
container-nameStandard CMP
EntityBean/container-name
role-mapping-managerjava:/jaas/other/role-mapping-manager
authentication-modulejava:/jaas/other/authentication-module
/container-configuration
/container-configurations
enterprise-beans
entity
ejb-nameYourBean/ejb-name
container-nameStandard CMP
EntityBean/container-name
/entity
/enterprise-beans
3. Secure your WAR (web.xml)
security-constraint
web-resource-collection
web-resource-nameutil/web-resource-name
url-pattern/protected/*/url-pattern
/web-resource-collection
auth-constraint
role-nameuser/role-name
/auth-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login.jsp/form-error-page
/form-login-config
/login-config
4. Setup Tomcat
a. add interceptor to server.xml immediately before the
LoadOnStartupInterceptor
RequestInterceptor
className=com.hypothermic.security.HypothermicRealm /
You can also configure the interceptor here in the server.xml
The following line turns off anonymous login.
RequestInterceptor
className=com.hypothermic.security.HypothermicRealm
allowAnonymousLogin=false /
b. Comment out all other security interceptors (SimpleRealm
JbossRealm
Re: [JBoss-user] Please help :-( tomcat Servlet = Jboss EJB = JAAS Authentiaction
OK, so this pipes into to what ever you have set up. Tks for the clarification. anil. Dain Sundstrom wrote: Anil, No, the code I posted simply hands login off to JAAS. You can use the JaasServerLoginModule, the DatabaseServerLoginModule, or any other login module (I wrote my own). By default JBoss 'other' context uses the JaasServerLoginModule which uses a users.properties and roles.properties files. -dain ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
