Hey all,
I have 2 deployables each with there own security domain: a war which uses form
based authentication and authenticates in the "myWeb" security domain, and an
ear which authenticates in the "myEjb" security domain. Both are deployed in
the same JBoss jvm (for testing purposes - for production they will be deployed
into their own JBoss jvm on different servers). I've configured the war to pass
the CallerPrincipal when accessing session beans in the ejb by adding the
ClientLoginModule (see my configuration listings at the end). The intention is
to have the web tier do the initial authentication, passing each user's
credentials from the web tier to the app tier as necessary.
The problem is that when I have 2 users logged in trying to access the session
beans, either the wrong CallerPrincipal is used in the app tier or I get a
"FailedLoginException: Password Incorrect/Password Required". Here are my steps
for reproducing the error:
1. Browser 1 - login as user1. Web reports CallerPrincipal as "user1". App
reports CallerPrincipal as "user1". Consecutive calls to app tier do not
produce any errors.
2. Browser 2 (different box) - login as user2. Web reports CallerPrincipal as
"user2". Most of the time the app reports the CallerPrincipal as "user2" but
will occationally report "user1". I've noticed that if the "multi-threaded"
parameter of the ClientLoginModule is set to false, the app will always see the
CallerPrincipal as the last user to login. Consecutive calls to app tier do not
produce the FailedLoginException.
3. Browser1 - user1 still logged in - perform action that calls the app tier
and receive the FailedLoginException.
4. Browser2 - user2 still logged in - perform action that calls the app tier
and receive the FailedLoginException.
I feel like I'm missing something obvious and important and I'm pretty sure
this is a common scenerio: using container managed security (ala JAAS) to
authenticate/authorize users at an enterprise level. Could someone explain to
me what I'm doing wrong/how to resolve this issue? Is there a different
approach I should try?
Thanks,
Joe Hindsley
Configuration files follow:
login-config.xml:
| <application-policy name = "myWeb">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option
name="usersProperties">myweb-users.properties</module-option>
| <module-option
name="rolesProperties">myweb-roles.properties</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| </login-module>
| <login-module code = "org.jboss.security.ClientLoginModule"
| flag = "required">
| <module-option name="multi-threaded">true</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <application-policy name = "myEjb">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option
name="usersProperties">myejb-users.properties</module-option>
| <module-option
name="rolesProperties">myejb-roles.properties</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
myweb-users.properties and myejb-users.properties:
| user1=user1pw
| user2=user2pw
|
myweb-roles.properties:
| user1=webrole
| user2=webrole
|
myejb-roles.properties:
| user1=ejbrole
| user2=ejbrole
|
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3872918#3872918
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3872918
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
