Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
So add a client configuration entry to the server auth.conf and use it for your client LoginContext creation. The current contrib/tomcat module code has two example tomcat request interceptors that integrate into the JBoss security layer. - Original Message - From: "Lewis Henderson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 21, 2001 1:29 PM Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction > ...I was trying to run an embedded tomcat client talking to jboss in the > same VM! There is another issue to this in that you cannot have override > java.security.auth.login.config for the client as the server also uses it! > > If I use stand-alone tomcat everything seems to work...I'm still holding my > breath on this one!! > > It seems from the above that there needs to be two SecurityAssociations, one > for the server and another for clients when using tomcat embedded... > > > Lewis > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...I was trying to run an embedded tomcat client talking to jboss in the same VM! There is another issue to this in that you cannot have override java.security.auth.login.config for the client as the server also uses it! If I use stand-alone tomcat everything seems to work...I'm still holding my breath on this one!! It seems from the above that there needs to be two SecurityAssociations, one for the server and another for clients when using tomcat embedded... Lewis _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
If by client side you mean a client running in a VM external to the JBoss server VM, then this is the expected default behavior. Multi-threaded clients need to enable the thread local storage mode of the SecurityAssociation class by either calling SecurityAssociation.setServer() or equivalently adding a multi-threaded=true option to the JAAS ClientLoginModule config: other { org.jboss.security.ClientLoginModule required multi-threaded=true ; }; - Original Message - From: "Lewis Henderson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, May 20, 2001 1:31 PM Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction > ...I tried the three new jars...I get the same problem...However, the > problem is 'client' side. > > Using two machines, both with JBoss & Embedded Tomcat, I connect my browser > to machine 1 for Tomcat JSP's talking to machine 2's EJB's... > > My proxy on the client-side looses the SecurityAssociation as it's threads > change... > > ...am I making sense and is there anything else I can try? > > > Lewis > -Original Message- ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...I tried the three new jars...I get the same problem...However, the problem is 'client' side. Using two machines, both with JBoss & Embedded Tomcat, I connect my browser to machine 1 for Tomcat JSP's talking to machine 2's EJB's... My proxy on the client-side looses the SecurityAssociation as it's threads change... ...am I making sense and is there anything else I can try? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lewis Henderson Sent: 20 May 2001 14:53 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction Thx! When will 2.3 be available? Can I use the new jboss-jaas.jar and jbosssx.jar with 2.2.1? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark Sent: 20 May 2001 04:59 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: > ...this is the important bit of the trace... > ...the remote interface is stored and retrieved correctly on the session, > however the SecurityAssociation was stored in a ThreadLocal on Thread-12 > earlier and now we are using Thread-10... > > marc suggests that we need some kind of InheritableThreadLocal > implementation to get round this... > > I am using embedded tomcat if that helps anyone...? > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
Thx! When will 2.3 be available? Can I use the new jboss-jaas.jar and jbosssx.jar with 2.2.1? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark Sent: 20 May 2001 04:59 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: > ...this is the important bit of the trace... > ...the remote interface is stored and retrieved correctly on the session, > however the SecurityAssociation was stored in a ThreadLocal on Thread-12 > earlier and now we are using Thread-10... > > marc suggests that we need some kind of InheritableThreadLocal > implementation to get round this... > > I am using embedded tomcat if that helps anyone...? > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
Currently(JBoss-2.2.1) the security information that is obtained from the server request is stored in a ThreadLocal and so is only available to the request thread. You need to propagate the security information to any child threads. As of JBoss-2.3, security information is stored in an InheritableThreadLocal and so is propgated automatically to any child threads. Lewis Henderson wrote: > ...this is the important bit of the trace... > ...the remote interface is stored and retrieved correctly on the session, > however the SecurityAssociation was stored in a ThreadLocal on Thread-12 > earlier and now we are using Thread-10... > > marc suggests that we need some kind of InheritableThreadLocal > implementation to get round this... > > I am using embedded tomcat if that helps anyone...? > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...this is the important bit of the trace... ...the remote interface is stored and retrieved correctly on the session, however the SecurityAssociation was stored in a ThreadLocal on Thread-12 earlier and now we are using Thread-10... marc suggests that we need some kind of InheritableThreadLocal implementation to get round this... I am using embedded tomcat if that helps anyone...? [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Call) [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Ok so far) [WorkflowAccess] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke() Principal [Paul] [Thread-12] DEBUG client.JBossUserContext - getUserCompoundName() returned [Paul] 15513 [Thread-12] DEBUG com.cf.rt.client.JBossUserContext - getUserCompoundName() returned [Paul] [Thread-12] DEBUG context.UserContextBean - getUserCompoundName() returned [Paul] 15513 [Thread-12] DEBUG com.cf.rt.context.UserContextBean - getUserCompoundName() returned [Paul] [Thread-10] DEBUG struts.WorkflowUser - getSelectExpression() 18507 [Thread-10] DEBUG com.cf.rt.struts.WorkflowUser - getSelectExpression() [Thread-10] DEBUG struts.WorkflowUser - getWorkItems() 18507 [Thread-10] DEBUG com.cf.rt.struts.WorkflowUser - getWorkItems() [Thread-10] DEBUG client.WfoWorkflowHelper - getWorkItems(.) 18517 [Thread-10] DEBUG com.cf.rt.client.WfoWorkflowHelper - getWorkItems(.) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Call) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke(Ok so far) [EmbeddedTomcat] org.jboss.ejb.plugins.jrmp13.interfaces.StatefulSessionProxy== invoke() Principal [null] [WorkflowClient] Authentication exception, principal=null [WorkflowClient] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception; nested exception is: java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception [WorkflowClient] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: [WorkflowClient]java.lang.SecurityException: Authentication exception [WorkflowClient] java.lang.SecurityException: Authentication exception [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI nterceptor.java:212) [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:16 9) [WorkflowClient]at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSess ionInstanceInterceptor.java:209) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invokeNext(TxInterceptorCMT.java:133) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT. java:263) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:99) [WorkflowClient]at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:195) [WorkflowClient]at org.jboss.ejb.StatefulSessionContainer.invoke(StatefulSessionContainer.java: 326) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke(JRMPContainerI nvoker.java:482) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.interfaces.StatefulSessionProxy.invoke(StatefulSe ssionProxy.java:160) [WorkflowClient]at $Proxy17.getWorkItems(Unknown Source) [WorkflowClient]at com.cf.rt.client.WfoWorkflowHelper.getWorkItems(WfoWorkflowHelper.java:576) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Sundstrom Sent: 19 May 2001 16:20 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction I don't think this is an EJB problem. Can you store any value (say a String) in the session and retrieve it later. If you cannot, you are loosing the cookie or session id on the web client. This is a common way a web server works. There is a thread pool that handle the incoming requests. The code I posted sets the user credentials for each request so your credentials extend to each thread. I'm still tired so I hope that made sense. Can you post the exception you are getting on the second request. Also, is the system reporting that your user is authenticated before each request is processes? -dain -Original Message- From: Lewis Henderson [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction ...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in th
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
I don't think this is an EJB problem. Can you store any value (say a String) in the session and retrieve it later. If you cannot, you are loosing the cookie or session id on the web client. This is a common way a web server works. There is a thread pool that handle the incoming requests. The code I posted sets the user credentials for each request so your credentials extend to each thread. I'm still tired so I hope that made sense. Can you post the exception you are getting on the second request. Also, is the system reporting that your user is authenticated before each request is processes? -dain -Original Message- From: Lewis Henderson [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction ...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all method calls in the logon action work ok as this is thread1 however when the reference is retrieved from the session by another action it (may) executes in thread2...This is where all the wheels drop off! Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 14:46 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | |> Anil, |> |> No, the code I posted simply hands login off to JAAS. You can use the |> JaasServerLoginModule, the DatabaseServerLoginModule, or any other login |> module (I wrote my own). By default JBoss 'other' context uses the |> JaasServerLoginModule which uses a users.properties and roles.properties |> files. |> |> -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...this is defiantly NOT my area of expertise...how do we get this done? Are there any examples of similar stuff, or is it 'open heart surgery' ? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 15:24 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction |...I am using 'struts' with an initial logon action that connects to a |StatefulSessionBean and stores its reference in the session for use by |actions later on in the process...The initial connection and all method |calls in the logon action work ok as this is thread1 however when the |reference is retrieved from the session by another action it (may) executes |in thread2...This is where all the wheels drop off! Yes I repeat that the associations are done at the thread level and if you use another thread you don't have the associations hence your application is not "authenticated". The only way around is a ITL construct in the security and transaction storages. Actions in struts are executed by independent threads??? The flow is not thread family dependent? marc | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury |Sent: 19 May 2001 14:46 |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |If the threads are spawned by a same thread, we need to implement |InheritableThreadLocal behavior and then the associations are kept in the |child threads. | |marc | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis ||Henderson ||Sent: Saturday, May 19, 2001 7:24 AM ||To: [EMAIL PROTECTED] ||Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => ||JAAS Authentiaction || || ||...I've found the cause of my original problem...now I need an answer... || ||My client is multi-threaded...I login successfully on the first ||thread...then when another thread tries to use the remote |interface (stored ||in the session) I get the security exception! || ||Is this just a config issue or something deeper? || || ||Lewis || ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of awc ||Sent: 18 May 2001 22:01 ||To: [EMAIL PROTECTED] ||Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => ||JAAS Authentiaction || || ||OK, so this pipes into to what ever you have set up. ||Tks for the clarification. || ||anil. || ||Dain Sundstrom wrote: || ||> Anil, ||> ||> No, the code I posted simply hands login off to JAAS. You can use the ||> JaasServerLoginModule, the DatabaseServerLoginModule, or any other login ||> module (I wrote my own). By default JBoss 'other' context uses the ||> JaasServerLoginModule which uses a users.properties and roles.properties ||> files. ||> ||> -dain || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user | | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
|...I am using 'struts' with an initial logon action that connects to a |StatefulSessionBean and stores its reference in the session for use by |actions later on in the process...The initial connection and all method |calls in the logon action work ok as this is thread1 however when the |reference is retrieved from the session by another action it (may) executes |in thread2...This is where all the wheels drop off! Yes I repeat that the associations are done at the thread level and if you use another thread you don't have the associations hence your application is not "authenticated". The only way around is a ITL construct in the security and transaction storages. Actions in struts are executed by independent threads??? The flow is not thread family dependent? marc | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury |Sent: 19 May 2001 14:46 |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |If the threads are spawned by a same thread, we need to implement |InheritableThreadLocal behavior and then the associations are kept in the |child threads. | |marc | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis ||Henderson ||Sent: Saturday, May 19, 2001 7:24 AM ||To: [EMAIL PROTECTED] ||Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => ||JAAS Authentiaction || || ||...I've found the cause of my original problem...now I need an answer... || ||My client is multi-threaded...I login successfully on the first ||thread...then when another thread tries to use the remote |interface (stored ||in the session) I get the security exception! || ||Is this just a config issue or something deeper? || || ||Lewis || ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED]]On Behalf Of awc ||Sent: 18 May 2001 22:01 ||To: [EMAIL PROTECTED] ||Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => ||JAAS Authentiaction || || ||OK, so this pipes into to what ever you have set up. ||Tks for the clarification. || ||anil. || ||Dain Sundstrom wrote: || ||> Anil, ||> ||> No, the code I posted simply hands login off to JAAS. You can use the ||> JaasServerLoginModule, the DatabaseServerLoginModule, or any other login ||> module (I wrote my own). By default JBoss 'other' context uses the ||> JaasServerLoginModule which uses a users.properties and roles.properties ||> files. ||> ||> -dain || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user || || ||___ ||JBoss-user mailing list ||[EMAIL PROTECTED] ||http://lists.sourceforge.net/lists/listinfo/jboss-user | | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...I am using 'struts' with an initial logon action that connects to a StatefulSessionBean and stores its reference in the session for use by actions later on in the process...The initial connection and all method calls in the logon action work ok as this is thread1 however when the reference is retrieved from the session by another action it (may) executes in thread2...This is where all the wheels drop off! Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of marc fleury Sent: 19 May 2001 14:46 To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | |> Anil, |> |> No, the code I posted simply hands login off to JAAS. You can use the |> JaasServerLoginModule, the DatabaseServerLoginModule, or any other login |> module (I wrote my own). By default JBoss 'other' context uses the |> JaasServerLoginModule which uses a users.properties and roles.properties |> files. |> |> -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
If the threads are spawned by a same thread, we need to implement InheritableThreadLocal behavior and then the associations are kept in the child threads. marc |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Lewis |Henderson |Sent: Saturday, May 19, 2001 7:24 AM |To: [EMAIL PROTECTED] |Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |...I've found the cause of my original problem...now I need an answer... | |My client is multi-threaded...I login successfully on the first |thread...then when another thread tries to use the remote interface (stored |in the session) I get the security exception! | |Is this just a config issue or something deeper? | | |Lewis | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of awc |Sent: 18 May 2001 22:01 |To: [EMAIL PROTECTED] |Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => |JAAS Authentiaction | | |OK, so this pipes into to what ever you have set up. |Tks for the clarification. | |anil. | |Dain Sundstrom wrote: | |> Anil, |> |> No, the code I posted simply hands login off to JAAS. You can use the |> JaasServerLoginModule, the DatabaseServerLoginModule, or any other login |> module (I wrote my own). By default JBoss 'other' context uses the |> JaasServerLoginModule which uses a users.properties and roles.properties |> files. |> |> -dain | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user | | |___ |JBoss-user mailing list |[EMAIL PROTECTED] |http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...I've found the cause of my original problem...now I need an answer... My client is multi-threaded...I login successfully on the first thread...then when another thread tries to use the remote interface (stored in the session) I get the security exception! Is this just a config issue or something deeper? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of awc Sent: 18 May 2001 22:01 To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction OK, so this pipes into to what ever you have set up. Tks for the clarification. anil. Dain Sundstrom wrote: > Anil, > > No, the code I posted simply hands login off to JAAS. You can use the > JaasServerLoginModule, the DatabaseServerLoginModule, or any other login > module (I wrote my own). By default JBoss 'other' context uses the > JaasServerLoginModule which uses a users.properties and roles.properties > files. > > -dain ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
OK, so this pipes into to what ever you have set up. Tks for the clarification. anil. Dain Sundstrom wrote: > Anil, > > No, the code I posted simply hands login off to JAAS. You can use the > JaasServerLoginModule, the DatabaseServerLoginModule, or any other login > module (I wrote my own). By default JBoss 'other' context uses the > JaasServerLoginModule which uses a users.properties and roles.properties > files. > > -dain ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
Anil, No, the code I posted simply hands login off to JAAS. You can use the JaasServerLoginModule, the DatabaseServerLoginModule, or any other login module (I wrote my own). By default JBoss 'other' context uses the JaasServerLoginModule which uses a users.properties and roles.properties files. -dain -Original Message- From: awc [mailto:[EMAIL PROTECTED]] Sent: Friday, May 18, 2001 12:26 PM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction Dain, don't you have to add this to auth.conf (if you use PostgreSQL) org.jboss.security.plugins.samples.DatabaseServerLoginModule required dsJndiName="java:/jdbc/PostgresDB" principalsQuery="select password from principals where principalid=?" rolesQuery="select role, rolegroup from roles where principalid=?"; or how does jboss know which db and tables to use? anil Dain Sundstrom wrote: > Last month I sent the following message, which details how I integrated the > Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm > that work similar to mine. His new JBoss realm is available in CVS (I'm not > sure where) and I think will be in the next release of JBoss. > > I have made some minor changes since I last posted the code. > > Dain Sundstrom > > > Recently, I have seen several posts asking how to integrate Tomcat and JBoss > security. The current JBossRealm requires you to add users to both the > tomcat and JBoss security systems or configure the tomcat JDBCRealm and > JBoss DatabaseServerLoginModule to point to the same database table. This > is all a big pain, so I wrote a new Tomcat interceptor which performs > authentication and authorization via the JBoss JAAS code. The steps > required to setup this interceptor follow. > > 1. Create the jar > a. Copy the code (later in message) onto your machine. You can > change the package if you like. > b. Compile (requires servlet.jar webserver.jar jaas.jar > jboss-jaas.jar jbosssx.jar) > c. Jar it > d. Copy it to jboss/lib/ext > > Here is the ant target I use. > > > >includes="com/hypothermic/security/*.class" /> > >todir="${jboss.lib}/ext" /> > > > 2. Secure your EJBs. > a. ejb-jar.xml Mark your EJBs as protected. > > > > user > > YourBean > * > > > > > b. jboss.xml Set the authentication and authorization manager. > > > > Standard CMP > EntityBean > > java:/jaas/other > > java:/jaas/other > > > > > > YourBean Standard CMP > EntityBean > > > > 3. Secure your WAR (web.xml) > > > util > /protected/* > > > user > > > > > FORM > > /login.jsp > /login.jsp > > > > 4. Setup Tomcat > a. add interceptor to server.xml immediately before the > LoadOnStartupInterceptor > > className="com.hypothermic.security.HypothermicRealm" /> > > You can also configure the interceptor here in the server.xml > The following line turns off anonymous login. > > className="com.hypothermic.security.HypothermicRealm" > allowAnonymousLogin="false" /> > > b. Comment out all other security interceptors (SimpleRealm > JbossRealm JDBCRealm). > > 5. Add your users to JBoss > > I hope I didn't leave out any steps. If you find any bugs or have any > enhancements, please email me. > > -Dain Sundstrom > > = > package com.hypothermic.security; > > import org.apache.tomcat.core.Request; > import org.apache.tomcat.core.Response; > import org.apache.tomcat.core.Context; > > import org.apache.tomc
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
...I spoke a little too soon... I connect OK, I keep my principal for about 15 seconds as I move between my EJBs then all of a sudden I get a [WorkflowClient] Authentication exception, principal=null [WorkflowClient] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception; nested exception is: java.rmi.RemoteException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: Authentication exception [WorkflowClient] java.rmi.RemoteException: checkSecurityAssociation; nested exception is: [WorkflowClient]java.lang.SecurityException: Authentication exception [WorkflowClient] java.lang.SecurityException: Authentication exception [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI nterceptor.java:212) [WorkflowClient]at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:16 9) [WorkflowClient]at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSess ionInstanceInterceptor.java:209) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invokeNext(TxInterceptorCMT.java:133) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT. java:263) [WorkflowClient]at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:99) [WorkflowClient]at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:195) [WorkflowClient]at org.jboss.ejb.StatefulSessionContainer.invoke(StatefulSessionContainer.java: 326) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke(JRMPContainerI nvoker.java:482) [WorkflowClient]at org.jboss.ejb.plugins.jrmp.interfaces.StatefulSessionProxy.invoke(StatefulSe ssionProxy.java:150) ...what the ?*#@s going on? Lewis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Sundstrom Sent: 18 May 2001 16:39 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction Last month I sent the following message, which details how I integrated the Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm that work similar to mine. His new JBoss realm is available in CVS (I'm not sure where) and I think will be in the next release of JBoss. I have made some minor changes since I last posted the code. Dain Sundstrom Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor You can also configure the interceptor here in the server.xml The following line turns off anonymous login. b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancement
Re: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
Dain, don't you have to add this to auth.conf (if you use PostgreSQL) org.jboss.security.plugins.samples.DatabaseServerLoginModule required dsJndiName="java:/jdbc/PostgresDB" principalsQuery="select password from principals where principalid=?" rolesQuery="select role, rolegroup from roles where principalid=?"; or how does jboss know which db and tables to use? anil Dain Sundstrom wrote: > Last month I sent the following message, which details how I integrated the > Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm > that work similar to mine. His new JBoss realm is available in CVS (I'm not > sure where) and I think will be in the next release of JBoss. > > I have made some minor changes since I last posted the code. > > Dain Sundstrom > > > Recently, I have seen several posts asking how to integrate Tomcat and JBoss > security. The current JBossRealm requires you to add users to both the > tomcat and JBoss security systems or configure the tomcat JDBCRealm and > JBoss DatabaseServerLoginModule to point to the same database table. This > is all a big pain, so I wrote a new Tomcat interceptor which performs > authentication and authorization via the JBoss JAAS code. The steps > required to setup this interceptor follow. > > 1. Create the jar > a. Copy the code (later in message) onto your machine. You can > change the package if you like. > b. Compile (requires servlet.jar webserver.jar jaas.jar > jboss-jaas.jar jbosssx.jar) > c. Jar it > d. Copy it to jboss/lib/ext > > Here is the ant target I use. > > > >includes="com/hypothermic/security/*.class" /> > >todir="${jboss.lib}/ext" /> > > > 2. Secure your EJBs. > a. ejb-jar.xml Mark your EJBs as protected. > > > > user > > YourBean > * > > > > > b. jboss.xml Set the authentication and authorization manager. > > > > Standard CMP > EntityBean > > java:/jaas/other > > java:/jaas/other > > > > > > YourBean Standard CMP > EntityBean > > > > 3. Secure your WAR (web.xml) > > > util > /protected/* > > > user > > > > > FORM > > /login.jsp > /login.jsp > > > > 4. Setup Tomcat > a. add interceptor to server.xml immediately before the > LoadOnStartupInterceptor > > className="com.hypothermic.security.HypothermicRealm" /> > > You can also configure the interceptor here in the server.xml > The following line turns off anonymous login. > > className="com.hypothermic.security.HypothermicRealm" > allowAnonymousLogin="false" /> > > b. Comment out all other security interceptors (SimpleRealm > JbossRealm JDBCRealm). > > 5. Add your users to JBoss > > I hope I didn't leave out any steps. If you find any bugs or have any > enhancements, please email me. > > -Dain Sundstrom > > = > package com.hypothermic.security; > > import org.apache.tomcat.core.Request; > import org.apache.tomcat.core.Response; > import org.apache.tomcat.core.Context; > > import org.apache.tomcat.util.SecurityTools; > import org.apache.tomcat.core.BaseInterceptor; > > import org.jboss.security.SecurityAssociation; > import org.jboss.security.SimplePrincipal; > import org.jboss.security.auth.UsernamePasswordHandler; > > import javax.servlet.http.HttpSession; > > import javax.security.auth.Subject; > import javax.security.auth.callback.CallbackHandler; > import javax.security.auth.login.LoginContext; > import javax.security.auth.login.LoginException; > > import java.security.Principal; > import java.security.acl.Group; > > import java.util.Enumeration; > import java.util.Iterator; > import java.util.Set; > import java.util.HashSet; > import java.util.Hashtable; > > /** > * Integrates Tomcat and Jboss security by redirecting Tomcat authentication > and authorization > * calls to the JBoss JAAS code. > * @author Dain Sundstrom > */ > public class HypothermicRealm extends BaseInterceptor { > private String subjectKey = "j_subject"; > private String loginContextName = "other";
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
EXCELLENT > 2 Birds with one stone... My problem was not quite as you answered...however I shall use this code when I secure my WebApp ! My Problem was that when I use loginContext.login() in a connection bean (Used by both Swing apps and a struts Action) to authenticate the user to enable them to access my EJBs, it worked for swing but not for action. Looking through your code I see SecurityAssociation.setPrincipal() and SecurityAssociation.setCredentials()...I did not call these !!! When I call them, after a successful login it all works!!! Question 1 Should I need to call these methods... and Question 2 SecurityAssociation and related classes are in the JBoss jars...This makes my code proprietary! (I want JAAS only!!!), how can I get round it? Lewis Thanks again, you've saved my hair ! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Sundstrom Sent: 18 May 2001 16:39 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction Last month I sent the following message, which details how I integrated the Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm that work similar to mine. His new JBoss realm is available in CVS (I'm not sure where) and I think will be in the next release of JBoss. I have made some minor changes since I last posted the code. Dain Sundstrom Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor You can also configure the interceptor here in the server.xml The following line turns off anonymous login. b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom = package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import java.util.Iterator; import java.util.Set; import java.util.HashSet; import java.util.Hashtable; /** * Integrates Tomcat and Jboss security by redirecting Tomcat authentication and authorization * calls to the JBoss JAAS code. * @author Dain Sundstrom */ public class Hypoth
RE: [JBoss-user] Please help :-( tomcat Servlet => Jboss EJB => JAAS Authentiaction
Last month I sent the following message, which details how I integrated the Tomcat and JBoss security systems. Scott Stark has written a new JBoss realm that work similar to mine. His new JBoss realm is available in CVS (I'm not sure where) and I think will be in the next release of JBoss. I have made some minor changes since I last posted the code. Dain Sundstrom Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor You can also configure the interceptor here in the server.xml The following line turns off anonymous login. b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom = package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import java.util.Iterator; import java.util.Set; import java.util.HashSet; import java.util.Hashtable; /** * Integrates Tomcat and Jboss security by redirecting Tomcat authentication and authorization * calls to the JBoss JAAS code. * @author Dain Sundstrom */ public class HypothermicRealm extends BaseInterceptor { private String subjectKey = "j_subject"; private String loginContextName = "other"; private boolean credentialsFromRequest = true; private boolean allowAnonymousLogin = true; private String anonymousUsername = "anonymous"; private String anonymousPassword = "anonymous"; /** * The key that is used to store the Subject in the session attributes. * @param subjectKey the key */ public void setSubjectKey(String subjectKey) { this.subjectKey = subjectKey; } /** * The name used by JAAS during Login for determining spi * @param loginContextName the name */ public void setLoginContextName(String loginContextName) { this.loginContextName = loginContextName; } /** * Should the request be checked for credentials. */ public void setCredentialsFromRequest(String credentialsFromRequest)