With JBoss, as part of your login module, if you want to specify what are the
roles of the user, you need to create a Group class instance (agree, it does
not need to be the one form JBoss) with a specific name (JBoss specific).
The fact that this Group instance with this specific name is used to
Unfortunately, not really.
The JAAS basic capabilities are common to all application server, but when
writing your own custom JAAS login modules, in order to fully integrate it with
the app server, you will have to write some app server specific code:
- If you want to specify what are the roles
For the login config, take a look at
http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig.
The JBossSX Wiki pages are actually a good JBoss security resource for
documentation.
Not sure I understand the second question. I am not Entity bean expert but Iw
ill be surprised that you can no
Basically, your servlet is a client to your EJBs.
With JBoss, if a client is doing an explicit JAAS login, the established
security context is propagated to the backend EJBs only if you have the JBoss
ClientLoginModule as part of your JAAS configuration.
I am assuming that you edited the login-c
There are tons of threads on this subject in the forum.
If you are doing you own JAAS login in your servlet code, you will need to make
sure that ClientLoginModule is part of the JAAS configuration you are using
("domain" according to your code below) for the propagation to happen.
But you als
HttpServletRequest.getUserPrincipal
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887697#3887697
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887697
---
SF.Net em
If you want your own principal to be returned from getUserPrincipal (meaning
that you want to set you own user principal), you need to let the container
(tomcat/JBoss) do the authentication for you, meaning you need to use BASIC or
FORM (j_security_check) authentication.
Thomas
View the origin
But the jaas-pam stuff looks promissing :-)
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887472#3887472
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887472
---
S
I tried to use these a little while ago, but they are pretty useless in a
client/server context like in JBoss.
The NT and Unix module are just populated a JAAS subject with some data coming
from the currently authenticated user (the user running the Java code).
You cannot provide an arbitrary use
This is definitely the way to make it work to get the custom principal in the
session code, but I did not think that this was also working for the web
container.
Which JBoss version are you using?
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887283#
You can probably "workaround" the problem by creating a servlet interceptor or
tomcat valve to collect the user data you need and cache it as part of the HTTP
session.
Not as elegant as the custom principal, I think, but that should work.
Thomas
View the original post :
http://www.jboss.org/in
I do not believe this is possible at this point with JBoss.
You can have a cusotm principal in your EJB code (custom principal returned by
EJBContext.getCallerPrincipal), but not in the web container code.
See http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878558 for more
details, espe
Go through the following topic:
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=66988, it should give
you a good set of information to start with.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887053#3887053
Reply to the post :
http://www.jboss.or
Indeed, no need to define your own login page if you want BASIC authentication.
Check the servlet specification to see how to declare security constraints in
your web.xml file.
Here is an example:
Restricted
Restricted resources
/*
Role1
Actually, forget what I said, dwarf is not open source. You just have a free
binary distribution.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3886931#3886931
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3886931
There is no out-of-the-box JAAS login modules that will allow you to do that
(at least not with JBoss).
You might be able to extract and reuse the UnixLoginModule of the dwarf server
framework:
http://158.195.16.189/doc/dwarf/api/SK/gnome/dwarf/auth/login/UnixLoginModule.html
Thomas
View the
getCallerPrincipal on the EJBContext that is set via the setSessionContext
operation of the session bean.
This is assuming that your application is properly secured using the standard
J2EE mechanisms.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=38
A few different answers to your two last post:
1) With web applications, you can basically handle the login in two different
way: BASIC authentication (that will cause the web browser to display the
"standard" login window asking for user name and password) or FORM based
authentication where yo
This is almost enough
You also need to define your login page in the web.xml (standard servlet
login-config stuff) and you need to define some security contraints on your web
app URLs (also done in the web.xml) to mark them as "secured" otherwise login
will not be requested.
But, once JBos
Ok, so it seems that you want standard J2EE security.
There is two aspects to use standard security in JBoss: what is specified byt
the J2EE spec and what is application server (JBoss in your case) specific.
For the J2EE specified aspect you need to declare your security constraints in
your J2E
It looks like standard J2EE security to me and JBoss can definitely do that,
but you need to be a little more specific in your requirements before a more
detailed answer can be provided.
1) You are saying "only selected machines" but you are also talking about some
roles. Roles are ususally ass
I do not believe that the default sun implementation is searching through the
classpath to find the JAAS config file (see
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html).
But you should be able to programmatically define your own JAAS con
You are correct, the client side Subject is not updated to be in "synch" with
the server side Subject.
But there is nothing in JAAS and in the J2EE spec that is saying that it should
be.
For example, WebSphere and WebLogic (I believe) are also not providing such
mechanism.
In all three app serv
Scott,
I do want to deal with JAAS on the client side (I want to use JAAS for
authentication).
But I also have a requirement for a multi-threaded and multi-user EJB client
application and I am trying to understand how, within the same EJB client (same
JVM) I can deal with multiple authenticatio
By the way, it will also be nice if, in multi-threaded mode, threads that have
not been associated with an identity are consideres as unauthenticated (instead
of using the identity of the last LoginContext.login).
I think that such behavior makes more sense.
Thomas
View the original post :
htt
With JBoss, using the default ClientLoginModule, it seems that I can achieve
the following in a multi-threaded EJB client application using JAAS
authentication:
1) All threads are sharing the same user identity, which is the one established
by the last call to LoginContext.login.
This is the d
I do not think that such feature exist in JBoss.
Outside of the custom JAAS login modules (authentication + establishing user
roles) JBoss does not have the notion of external user registries.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3881616#38816
I see.
For sure, if you do your own JAAS login within the servlet code, the
request.getCallerPrincipal will definitely not return your custom principal as
you authentication is done too late in the process.
You need to look at the tomcat documentation to create your own realm or
something like
I believe that if you are doing your own login code in your servlet, it is
already too late to get the proper user from the HTTP request object (and it is
not getRemoteUser but getUserPrincipal that should be called).
You need to let the web container (tomcat) do the authentication for you in
Hard to understand the kind of help you need.
What is your environment? Web? Remote EJB?
What are you confused about?
A basic JAAS understanding is definitely going to help. You can find JAAS
documentation in the Sun JDK.
Then you should take a look at the HowTo referenced by one of ths stic
you can put it in you sar file.
Check the DynamicLoginConfig stuff in the Wiki pages:
http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3879637#3879637
Reply to the post :
http://www.jboss.org/index.htm
You will have to write your own JAAS login module.
This works pretty well with the latest JBoss version (4.0.2). You might have
issues with the custom principal in the servlet with older versions.
You can take a look at the sticky HowTo at the beginning of this forum, it
contains documentation a
The fact that you have a complex role model and that you need your own JAAS
login module does not mean that you need to do your own programmatic login.
You can define your own JBoss security domain (conf/login-config.xml) that will
use your JAAS login module. You can then associate your war file
Which JBoss version are you using?
Any particular reason why you are not just using BASIC or FORM based
authentication in your web application?
With JBoss 4.0.2, with both BASIC and FORM based authentication, you do not
have to write your own login logic and user identity is automatically
pro
If you do not want to specify any security on your EJB, then do not put any
security domain in the jboss.xml file.
But if you do that, then authentication is not required anymore.
If you require authentication, you will need, at least, to sepcify that all
your EJB operations are "unchecked" (see
Scott,
Thanks for the answer.
I agree that it is not likely that the web browser will be able to provide
custom credentials.
But I also do not think that I have to go that far as the unique id that I want
to add to the principal to make it "unique" could be generated right at the
tomcat/JBoss j
I just tried with JBoss 4.0.2 and it is definitley working much better.
Without any changes to the configuration of the default server of JBoss 4.0.2,
I managed to do the following:
1) Create a custom login module that is creating a custom principal
2) Deploy EJB + servlet configured with the s
I just tried a similar setup (EJB + servlet + form authentication) with Jboss
4.0.2 and it worked for me.
The exception you are getting does not seem like a security exception.
I am wondering if the problem is not somewhere else.
Thomas
View the original post :
http://www.jboss.org/index.html
I might have found one of the answer to my questions.
I am currently using JBoss 3.2.3 (but I am looking at JBoss 3.2.6 source code,
which might explain some of my confusion).
Anyway, in JBoss 3.2.6, it seems that there is a custom principal valve that is
supposed to be used so the principal c
I did a few more tests and I think I can try to define my configuration and
question a little better:
- I have one JAAS security domain using, for example, the LDAP login module and
nothing else (not ClientLoginModule or anything like that, the
SecurityAssociationValve is the one taking care o
Got it.
I know understand better how the identity is propagated between the tomcat web
container and JBoss.
Thanks for the help.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878234#3878234
Reply to the post :
http://www.jboss.org/index.html?module=
You are correct, I am confused.
Let's say that I have two custom login modules:
- CustomClientLoginModule: used on the EJB client side to create the custom
principal.
- CustomServerLoginModule: used on the EJB server side to perform my custom
authentication.
In an EJB client/server mode, C
I see (I was actually currently digging into that - see related post I sent
earlier).
I am also assuming that this valve is also populating the credential cache or
something like that.
What I mean is once the web container has authenticated the user, even though
my EJB are also configured with
I believe that JBoss and WebLogic are not working the same way.
With WebLogic, when you call login on your client side, this will indeed go
back to the server to perform the authentication (or something like that).
With JBoss, client side login does nothing except associating the user
credenti
The one I have is the 3.2.X version.
It explains very well how this is done from an EJB container and EJB client
point of view, but it is not very explicit on how this is working when
integrated with a Servlet container like tomcat.
Is there a more recent version with more details on this subjec
I never created a patch for JBoss before, but I will give it a try.
I also would like the solution to be complete and work when using a web client
going through a servlet.
Here is what I did so far:
1) Create a simple servlet that is deployed under the same JAAS security domain
as my EJBs and
Most likely.
The login operation is a JAAS defined operation.
The other ones are specific to the AbstractServerLoginModule to make your life
easier so you do not have to worry about the other JAAS defined operations
(initialize, commit, abort and logout).
Thomas
View the original post :
http:
I have spent quite some time on JAAS in a pure EJB environment (remote EJB
client calling server side EJBs) and I believe that I undersand how this is
working.
I was now wondering how this is working when the client application is a web
application going through a servlet that then accesses th
Thanks.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878061#3878061
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3878061
---
This SF.Net email is sponsored by Ora
It does except that I'd like the beforeRemove as well.
I do not believe that I have the JIRA rights to "merge" the two issues, but if
I do I can certainly take care of it.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878055#3878055
Reply to the p
>From a pure JAAS point of view, client or server JAAS login modules does not
>make any differences.
On both side you have one or more JAAS module configured (stack of JAAS
modules).
The differences when used with JBoss are as follow:
1) The JBoss client JAAS login module (ClientLoginModule) mu
Thanks for the answer.
I created the JIRA entry: http://jira.jboss.com/jira/browse/JBCACHE-159
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878045#3878045
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3878045
Authenticate.authenticate() is weblogic specific and you will not find an
equivalent in JBoss.
But they boh support JAAS, so some aspects will be similar.
For example, you can create a JAAS login module that will check if the user is
locked or not and just abort the authentication process if loc
You also need to write a JBoss custom JAAS login module.
See http://www.jboss.org/index.html?module=bb&op=viewtopic&t=46370
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3877992#3877992
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=
Any answers on my last question or is the question stupid and I should go back
to reading the documentation?
So the evicted notification happens after it has been evicted? Is there any
ways where I can get an "aboutToBeEvicted" where I know for sure that
everything is still in the cache and ca
Thanks for the answers.
1) So the evicted notification happens after it has been evicted? Is there any
ways where I can get an "aboutToBeEvicted" where I know for sure that
everything is still in the cache and can be accessed?
2) That is what I thought. I was just surprised that /a was not evic
Two quick questions about the eviction mechanism.
I admit, I did not do extensive searches in the forum to see if this has been
already answered before.
1) If I am writing my own TreeCacheListener, in the execution of the
nodeEvicted operation, is it safe to access the data about to be evicted i
I believe that I have a working solution (tests seems to be conclusive).
Let me know if this makes senses.
1) Create a custom principal class holding user name and an extra "id"
attribute.
2) Create a custom login module for the client. This custom login module is
requesting only user name and
I am not sure I understand what you mean.
For example, if I want to write a login module to have user name, password and
domain name (for windows), I probably need to write a custom login module for
both the client and server side.
In such case, I am hoping that the same user name and password bu
I see. Thanks for the Wiki page link.
I am still concern to rely on the client code to do the proper flushing (in my
case, I have a remote EJB application).
I guess I could flush the cache before any new call to loginContext.login, but
this will still not solve my problem of not sharing the ser
Thanks for the prompt answer.
I thought that disabling caching means that authentication will be done for
every EJB request (and not just between two calls to loginContext.login).
Is it not the case?
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3876
My initial experiment with JBoss seems to suggest that the principal object
returned by EJBContext.getCallerPrincipal is shared between all the EJB clients
that have been authenticated with the same user id and password and that as
long as JBoss is caching the authentication information (default
It might, but I am not familiar enough with the password-stack mechanism to be
100% sure.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3873616#3873616
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3873616
--
I do not think you can really pair the two modules together although I am not
certain (but possible only if they have been designed to do that).
One option is to use the ldaploginmodule "as is" and write your own
databaseserverloginmodule (you can restart from the JBoss one) to skip the
authen
Thanks a lot for the answer Scott.
I am glad to see that my understanding was not totally wrong.
I did notice this JSR but as the spec is not available for download and the
activity seems to be fairly low, I could not verified that this will be my
answer.
I guess I will just have to wait and c
This is probably more a pure J2EE related question than a JBoss specific one,
but I did not find a lot of literature on this subject.
JAAS defines an extensible authentication mechanism, where, at the end, you end
up with a Subject containing all the principals created through the
authenticatio
I believe that with a custom JAAS login module (both server and client), you
should be able to provide the extra "client type" information from the client
(using a custom JAAS module on the client that does "similar" things as the
default JBoss client module) and, on the server, using another J
I understand now. Thanks for the details.
I never tried to implement it, but, I think that the only way to do a fairly
secure SSO mechanism between your client and server on windows is to use
something like windows SSPI (see
http://www.winterdom.com/dev/security/sspi.html) to implement a JAAS lo
By adding a callback (like a TextInputCallback) in the client to add the ip
address and by having a custom login module on the server to understand this
extra callback and add it to the subject, you should be able to achieve what
you need.
Thomas
View the original post :
http://www.jboss.org
Can you provide a little more detail on your JAAS configuration on both the
client and server side?
I am just curious on how it is really working (in a secure way) if only the
user name is sent from the client.
Thanks.
Thomas
View the original post :
http://www.jboss.org/index.html?module=b
If the 2003 domain is using Active Directory (which, I think, is always the
case), then LDAP is probably your best bet since Active Directory is LDAP
compatible and the corresponding JAAS login module is delivered in standard
with JBoss.
As long as the application is using J2EE standard authen
I do not think that there is any standard J2EE way to do that.
The JAAS way will be something like that:
| import java.security.AccessController;
| import javax.security.auth.Subject;
|
| Subject sub = Subject.getSubject (AccessController.getContext());
|
But this will work only
After continuing doing some research on the subject, I am still coming back to
the idea of using the principal to do that.
The main reason for me to do that is this is the only way I found to do
something that have a chance to work on "all" (WebSphere, WebLogic and JBoss)
application servers w
This is the right file, but it is not located through the classpath.
Check
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3863927#3863927
Reply to
You are missing the auth.conf file holding the client side JAAS configuration.
Take a look at the JAAS tutorial in the JDK1.4 documentation.
For JBoss the JBoss ClientLoginModule must be used (there are multiple posts in
this forum also talking about that).
Thomas
View the original post :
http:
Good luck :-)
I gave you most of the needed pointers to configure JAAS with JBoss.
The rest is up to you and your application.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3863727#3863727
Reply to the post :
http://www.jboss.org/index.html?module=bb
I guess that what you mean is any docs on using the windows server domain as a
JAAS authentication source, correct?
If this is correct, then the next question is what kind of windows domain is
used for your server?
If this is an active directory, then your best bet is probably to use the LDAP
Then you need to get more details on what your application is really requiring
.
The pointer I gave you below might help you asking the right questions.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3863646#3863646
Reply to the post :
http://www.
As far as I understand, authetnication through the JNDI context is not
supported by JBoss.
So, if you want to do it anyway, you will need to develop your own JBoss
specific code to support it (or wait that JBoss supports it).
The other "standard" authentication mechanism is to use JAAS. I do bel
Glad I could help.
As tagish is also open source, if possible, you should submit your login module
to the JBoss guys.
I have seen a few people throught he mailing list that were looking for such
capabilities.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtop
I am not JRMP/SSL expert, but if it requires a security domain, then the rest
of the setup is the correct one.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3862272#3862272
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode
I believe that you will have to explicitly say in the ejb-jar.xml that no roles
cheking is required:
[your bean name]
*
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3862246#3862246
Reply to the post :
http://www.jbos
Evertyhing depends on how you configured the NTSystemLogin.
Without any coding, just by adding it as a JAAS login module in the
login-config.xml, the authentication should work, but the mapping between the
windows group and the roles are not done: JAAS does not define how to do that
so each app
It seems that your Notes JVM is defintiely missing some classes/jar files in
order to fully execute a JAAS login.
At least this is the way I understand your stack trace.
Configuring the login module between the web and ejb container is not
necessrily the easiest thing to do.
I would recommend i
This looks correct to me.
com.sun.security.auth.login.ConfigFile is the default configturation provider
that understands the auth.conf file format and location that you are defining.
Without a stack trace, it is hard to further diagnose your problem.
Thomas
View the original post :
http://www.
Check the javadoc that I pointed out before
(http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html
and
http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/Configuration.html).
They should really tell you everything that you need t
I am no JNDI authenticatione expert (except that I read somewhere that JBoss
does not support it).
For the JAAS one, the JAAS tutorial available with the standard JDK provides
all the naswer you need, in particular about this auth.conf file that can be
located anywhere as long as you provide a p
I believe that what is wrong in your setup is the login module configured in
your login-config.xml.
In order to use the user and role flat files, the login module to use (code
attribute of the login-module element) is
org.jboss.security.auth.spi.UsersRolesLoginModule and not
org.jboss.security.
With JAAS, there is really two security context to configured. One on the
server and one on the client.
According to your email it seems that you configured the one on the server
correctly.
On the client, you need to perform a JAAS login that will use the
org.jboss.security.ClientLoginModule JA
Agree, it was typed a little too quickly, but you should, at least, check the
javadoc of the javax.servlet.http.HttpServletRequest class.
getPrincipal is a method, not a public instance variable (Java 101 ...).
Try request.getPrincipal().getName() instead.
Thomas
View the original post :
http:
See http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3859817
The isCallerInRole on the EJBContext object can be used to test user roles, and
the isUserInRole on the HttpServletRequest can be used to do the same in a
servlet context.
There is no standard J2EE way to get the list of role
This is strange.
Youa re using the standard JBoss client login module in your client. As far as
I know this guy does not encrypt anything.
I have a custom JAAS login module with JBoss 3.2.6 and the client aslo uses the
standard JBoss client login module and I have no problem getting the password.
I believe that if the password is encrypted it is the "client" who did it.
The next question is what is your client? Standalone EJB client application,
servlet, others?
You need to determine the JAAS configuration of this client in order to figure
out who/how the password is encrypted.
If com
Thanks for the feedback.
I agree, it does not seem that JSR 149 is going anywhere (not sure why).
The only details that I have on the webSphere implementation is their
documentation
(http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/rprf_workareatune
I have done some reading about being able to transparently (without changing
method signature) pass context information across the different tiers and
components of an app server.
It seems that WebSphere provides this Work Area service (JSR 149), WebLogic
does not provide anything (except a sam
I do not think you are violating any J2EE standards if you are implementing all
that on your own.
It is the same thing as saying that you are using something like Hibernate to
manage persistence instead of entity beans. Your are not violating the J2EE
principles when doing that, you are just no
Using JAAS in the app server context usually involves 3 different things:
1) Configuring the required JAAS login module(s) with the application server.
2) Associating the JAAS configuration with the EJB components
3) Using the proper JAAS configuration on the client application side (servlet
o
I do not have an answer to your question (sorry) but I ma curious to know how
you configured the JDBC source in JBoss in order for it to use the client
identity to connect to the database.
Could should send some details about this configuration?
Thanks.
View the original post :
http://www.jbos
JBoss does not use the Authorization part of JAAS (the one that will allow you
to do access control on Java classes).
But it does use JAAS for Authentication, meaning that a Subject is created.
You will have to create a Security interceptor in order to do the Subject.doAs
to invoke the requested
Ok. Thanks for the answer.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3858624#3858624
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3858624
---
SF email i
1 - 100 of 112 matches
Mail list logo
