You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Oleg Nitz <on...@ibis.ua> on 2007/08/22 16:09:03 UTC
Please help me to understand JAAS login for stanalone cilent
Hi All,
I am trying to set up JAAS login for standalone client.
On server I have successfully deployed EAR with the following security
section in geronimo-application.xml:
<security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
<default-principal realm-name="irbis">
<principal
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="anonymous"/>
</default-principal>
<role-mappings>
<role role-name="user">
<realm realm-name="irbis">
<principal name="user"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
</role-mappings>
</security>
<gbean name="irbis"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">irbis</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<reference name="LoginService">
<name>JaasLoginService</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<login-config
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-1.1">
<login-module control-flag="REQUIRED"
server-side="true" wrap-principals="true">
<login-domain-name>irbis</login-domain-name>
<login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module-class>
</login-module>
</login-config>
</xml-reference>
</gbean>
Client code:
LoginContext lc = new LoginContext("irbis", _callbackHandler);
lc.login();
...
Properties props = new Properties();
props.setProperty("java.naming.factory.initial",
"org.openejb.client.RemoteInitialContextFactory");
props.setProperty("java.naming.provider.url", "localhost:4201");
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
UserRegistryHome regHome = (UserRegistryHome)
PortableRemoteObject.narrow(ic.lookup("<bean jndi name>",
UserRegistryHome.class);
The first piece of code with lc.login() works fine, server login module
is invoked. But I am not sure that Geronimo stores the principal and the
credentials from the login somewhere in order use them later during bean
methods invocation (as JBoss does). Probably this piece of code is
useless for Geronimo, right?
So I provide principal and credentials during JNDI lookup() as Geronimo
documentation suggests. I hoped they were somehow transferred to server
LoginModule. But they are not. Instead I am getting the following exception:
java.rmi.AccessException: access denied
(javax.security.jacc.EJBMethodPermission core.user.registry.UserRegistry
create,Home,)
at
org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:106)
at
org.openejb.security.EJBRunAsInterceptor.invoke(EJBRunAsInterceptor.java:85)
at
org.openejb.slsb.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:98)
at
org.openejb.transaction.ContainerPolicy$TxSupports.invoke(ContainerPolicy.java:198)
at
org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)
at
org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)
at
org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
at
org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
at
org.openejb.server.ejbd.EjbRequestHandler.invoke(EjbRequestHandler.java:297)
at
org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE(EjbRequestHandler.java:342)
at
org.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:206)
at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:150)
at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:87)
at
org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$$d379d2ff.invoke(<generated>)
at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
at
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
at
org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:122)
at
org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:817)
at
org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
at
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
at
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
at
org.activeio.xnet.ServerService$$EnhancerByCGLIB$$6635a4ab.service(<generated>)
at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
at org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:172)
at
org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:289)
at
EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:595)
Under debugger I see that inside EJBSecurityInterceptor the wrong
Subject is used, it's "anonymous", which is declared as
default-principal, and not "admin", which is passed to JNDI context.
What am I doing wrong?
Thanks in advance,
Oleg
Re: Please help me to understand JAAS login for stanalone cilent
Posted by David Blevins <da...@visi.com>.
David, do you know if the SecurityProvider in Geronimo will supply a
default value of realm when plain user/pass login is done?
If so than JNDI login as follows should work:
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
As well the ClientLoginModule built into the openejb-client jar.
And I'll go on record again saying I think supporting realm as a
"namespace" in the username is a nice non-required feature. Then you
could support:
props.setProperty("java.naming.security.principal", "irbis:admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
Could even make the separator configurable in the server.
-David
On Aug 22, 2007, at 2:44 PM, David Jencks wrote:
> IIRC there was a way to do a remote login from a non-j2ee app
> client in 1.1 but it was very hard and I don't remember how to get
> it to work.
>
> Can you switch to 2.0.1? I'm not sure if the jndi security
> parameters will result in a successful login but I think you can
> use the OpenejbRemoteLoginModule to do a remote login over the
> openejb protocol and this should save a token in the client that
> identifies the server Subject. I don't know if anyone has tested
> this with a non-ee client but I don't know of any reason it
> shouldn't work. Maybe david blevins has more of an idea if
> anything else needs to be configured in the client. You would need
> the geronimo-openejb jar in the client's classpath along with the
> openejb client jar.
>
> thanks
> david jencks
>
> On Aug 22, 2007, at 9:24 AM, David Blevins wrote:
>
>> Hi Oleg,
>>
>> This feature was added to the standalone client in Geronimo 2.0.
>>
>> -David
>>
>> On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
>>
>>> Hi All,
>>>
>>> I am trying to set up JAAS login for standalone client.
>>> On server I have successfully deployed EAR with the following
>>> security section in geronimo-application.xml:
>>>
>>> <security xmlns="http://geronimo.apache.org/xml/ns/
>>> security-1.1">
>>> <default-principal realm-name="irbis">
>>> <principal
>>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrin
>>> cipal"
>>> name="anonymous"/>
>>> </default-principal>
>>> <role-mappings>
>>> <role role-name="user">
>>> <realm realm-name="irbis">
>>> <principal name="user"
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPri
>>> ncipal"/>
>>> </realm>
>>> </role>
>>> </role-mappings>
>>> </security>
>>>
>>> <gbean name="irbis"
>>>
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>> <attribute name="realmName">irbis</attribute>
>>> <reference name="ServerInfo">
>>> <name>ServerInfo</name>
>>> </reference>
>>> <reference name="LoginService">
>>> <name>JaasLoginService</name>
>>> </reference>
>>> <xml-reference name="LoginModuleConfiguration">
>>> <login-config xmlns="http://geronimo.apache.org/xml/
>>> ns/loginconfig-1.1">
>>> <login-module control-flag="REQUIRED" server-
>>> side="true" wrap-principals="true">
>>> <login-domain-name>irbis</login-domain-name>
>>> <login-module-
>>> class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-
>>> module-class>
>>> </login-module>
>>> </login-config>
>>> </xml-reference>
>>> </gbean>
>>>
>>> Client code:
>>>
>>> LoginContext lc = new LoginContext("irbis", _callbackHandler);
>>> lc.login();
>>>
>>> ...
>>>
>>> Properties props = new Properties();
>>>
>>> props.setProperty("java.naming.factory.initial",
>>> "org.openejb.client.RemoteInitialContextFactory");
>>> props.setProperty("java.naming.provider.url", "localhost:4201");
>>> props.setProperty("java.naming.security.principal", "admin");
>>> props.setProperty("java.naming.security.credentials", "******");
>>> InitialContext ic = new InitialContext(props);
>>> UserRegistryHome regHome = (UserRegistryHome)
>>> PortableRemoteObject.narrow(ic.lookup("<bean jndi
>>> name>",
>>> UserRegistryHome.class);
>>>
>>> The first piece of code with lc.login() works fine, server login
>>> module is invoked. But I am not sure that Geronimo stores the
>>> principal and the credentials from the login somewhere in order
>>> use them later during bean methods invocation (as JBoss does).
>>> Probably this piece of code is useless for Geronimo, right?
>>> So I provide principal and credentials during JNDI lookup() as
>>> Geronimo documentation suggests. I hoped they were somehow
>>> transferred to server LoginModule. But they are not. Instead I am
>>> getting the following exception:
>>>
>>> java.rmi.AccessException: access denied
>>> (javax.security.jacc.EJBMethodPermission
>>> core.user.registry.UserRegistry create,Home,)
>>> at org.openejb.security.EJBSecurityInterceptor.invoke
>>> (EJBSecurityInterceptor.java:106)
>>> at org.openejb.security.EJBRunAsInterceptor.invoke
>>> (EJBRunAsInterceptor.java:85)
>>> at org.openejb.slsb.StatelessInstanceInterceptor.invoke
>>> (StatelessInstanceInterceptor.java:98)
>>> at org.openejb.transaction.ContainerPolicy
>>> $TxSupports.invoke(ContainerPolicy.java:198)
>>> at
>>> org.openejb.transaction.TransactionContextInterceptor.invoke
>>> (TransactionContextInterceptor.java:80)
>>> at org.openejb.SystemExceptionInterceptor.invoke
>>> (SystemExceptionInterceptor.java:82)
>>> at org.openejb.GenericEJBContainer
>>> $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
>>> at org.openejb.GenericEJBContainer.invoke
>>> (GenericEJBContainer.java:238)
>>> at org.openejb.server.ejbd.EjbRequestHandler.invoke
>>> (EjbRequestHandler.java:297)
>>> at
>>> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE
>>> (EjbRequestHandler.java:342)
>>> at
>>> org.openejb.server.ejbd.EjbRequestHandler.processRequest
>>> (EjbRequestHandler.java:206)
>>> at org.openejb.server.ejbd.EjbDaemon.service
>>> (EjbDaemon.java:150)
>>> at org.openejb.server.ejbd.EjbServer.service
>>> (EjbServer.java:87)
>>> at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$
>>> $d379d2ff.invoke(<generated>)
>>> at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:
>>> 53)
>>> at
>>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke
>>> (FastMethodInvoker.java:38)
>>> at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke
>>> (GBeanOperation.java:122)
>>> at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke
>>> (GBeanInstance.java:817)
>>> at org.apache.geronimo.gbean.runtime.RawInvoker.invoke
>>> (RawInvoker.java:57)
>>> at
>>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke
>>> (RawOperationInvoker.java:35)
>>> at
>>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept
>>> (ProxyMethodInterceptor.java:96)
>>> at org.activeio.xnet.ServerService$$EnhancerByCGLIB$
>>> $6635a4ab.service(<generated>)
>>> at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>>> at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>>> at org.apache.geronimo.pool.ThreadPool$1.run
>>> (ThreadPool.java:172)
>>> at org.apache.geronimo.pool.ThreadPool
>>> $ContextClassLoaderRunnable.run(ThreadPool.java:289)
>>> at EDU.oswego.cs.dl.util.concurrent.PooledExecutor
>>> $Worker.run(Unknown Source)
>>> at java.lang.Thread.run(Thread.java:595)
>>>
>>> Under debugger I see that inside EJBSecurityInterceptor the wrong
>>> Subject is used, it's "anonymous", which is declared as default-
>>> principal, and not "admin", which is passed to JNDI context.
>>> What am I doing wrong?
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>>
>>
>
>
Re: Please help me to understand JAAS login for stanalone cilent
Posted by Oleg Nitz <on...@ibis.ua>.
Hi David & David,
Thank you for your answers. I can't switch to 2.0.1 right now, I have
a task to use WebSphere Application Server Community Edition which is
currently based on Geronimo 1.1.1.
Okay, I will do some fak.. *cough* workaround for now and will return to
this later, when WAS CE will move to Geronimo 2.0.
Thanks,
Oleg
David Jencks wrote:
> IIRC there was a way to do a remote login from a non-j2ee app client in
> 1.1 but it was very hard and I don't remember how to get it to work.
>
> Can you switch to 2.0.1? I'm not sure if the jndi security parameters
> will result in a successful login but I think you can use the
> OpenejbRemoteLoginModule to do a remote login over the openejb protocol
> and this should save a token in the client that identifies the server
> Subject. I don't know if anyone has tested this with a non-ee client
> but I don't know of any reason it shouldn't work. Maybe david blevins
> has more of an idea if anything else needs to be configured in the
> client. You would need the geronimo-openejb jar in the client's
> classpath along with the openejb client jar.
>
> thanks
> david jencks
>
> On Aug 22, 2007, at 9:24 AM, David Blevins wrote:
>
>> Hi Oleg,
>>
>> This feature was added to the standalone client in Geronimo 2.0.
>>
>> -David
>>
>> On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
>>
>>> Hi All,
>>>
>>> I am trying to set up JAAS login for standalone client.
>>> On server I have successfully deployed EAR with the following
>>> security section in geronimo-application.xml:
>>>
>>> <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
>>> <default-principal realm-name="irbis">
>>> <principal
>>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>>>
>>> name="anonymous"/>
>>> </default-principal>
>>> <role-mappings>
>>> <role role-name="user">
>>> <realm realm-name="irbis">
>>> <principal name="user"
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
>>>
>>> </realm>
>>> </role>
>>> </role-mappings>
>>> </security>
>>>
>>> <gbean name="irbis"
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>> <attribute name="realmName">irbis</attribute>
>>> <reference name="ServerInfo">
>>> <name>ServerInfo</name>
>>> </reference>
>>> <reference name="LoginService">
>>> <name>JaasLoginService</name>
>>> </reference>
>>> <xml-reference name="LoginModuleConfiguration">
>>> <login-config
>>> xmlns="http://geronimo.apache.org/xml/ns/loginconfig-1.1">
>>> <login-module control-flag="REQUIRED"
>>> server-side="true" wrap-principals="true">
>>> <login-domain-name>irbis</login-domain-name>
>>> <login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module-class>
>>>
>>> </login-module>
>>> </login-config>
>>> </xml-reference>
>>> </gbean>
>>>
>>> Client code:
>>>
>>> LoginContext lc = new LoginContext("irbis", _callbackHandler);
>>> lc.login();
>>>
>>> ...
>>>
>>> Properties props = new Properties();
>>>
>>> props.setProperty("java.naming.factory.initial",
>>> "org.openejb.client.RemoteInitialContextFactory");
>>> props.setProperty("java.naming.provider.url", "localhost:4201");
>>> props.setProperty("java.naming.security.principal", "admin");
>>> props.setProperty("java.naming.security.credentials", "******");
>>> InitialContext ic = new InitialContext(props);
>>> UserRegistryHome regHome = (UserRegistryHome)
>>> PortableRemoteObject.narrow(ic.lookup("<bean jndi name>",
>>> UserRegistryHome.class);
>>>
>>> The first piece of code with lc.login() works fine, server login
>>> module is invoked. But I am not sure that Geronimo stores the
>>> principal and the credentials from the login somewhere in order use
>>> them later during bean methods invocation (as JBoss does). Probably
>>> this piece of code is useless for Geronimo, right?
>>> So I provide principal and credentials during JNDI lookup() as
>>> Geronimo documentation suggests. I hoped they were somehow
>>> transferred to server LoginModule. But they are not. Instead I am
>>> getting the following exception:
>>>
>>> java.rmi.AccessException: access denied
>>> (javax.security.jacc.EJBMethodPermission
>>> core.user.registry.UserRegistry create,Home,)
>>> at
>>> org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:106)
>>>
>>> at
>>> org.openejb.security.EJBRunAsInterceptor.invoke(EJBRunAsInterceptor.java:85)
>>>
>>> at
>>> org.openejb.slsb.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:98)
>>>
>>> at
>>> org.openejb.transaction.ContainerPolicy$TxSupports.invoke(ContainerPolicy.java:198)
>>>
>>> at
>>> org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)
>>>
>>> at
>>> org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)
>>>
>>> at
>>> org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
>>>
>>> at
>>> org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
>>> at
>>> org.openejb.server.ejbd.EjbRequestHandler.invoke(EjbRequestHandler.java:297)
>>>
>>> at
>>> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE(EjbRequestHandler.java:342)
>>>
>>> at
>>> org.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:206)
>>>
>>> at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:150)
>>> at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:87)
>>> at
>>> org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$$d379d2ff.invoke(<generated>)
>>>
>>> at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>>> at
>>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
>>>
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:122)
>>>
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:817)
>>>
>>> at
>>> org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
>>> at
>>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
>>>
>>> at
>>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
>>>
>>> at
>>> org.activeio.xnet.ServerService$$EnhancerByCGLIB$$6635a4ab.service(<generated>)
>>>
>>> at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>>> at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>>> at
>>> org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:172)
>>> at
>>> org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:289)
>>>
>>> at
>>> EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown
>>> Source)
>>> at java.lang.Thread.run(Thread.java:595)
>>>
>>> Under debugger I see that inside EJBSecurityInterceptor the wrong
>>> Subject is used, it's "anonymous", which is declared as
>>> default-principal, and not "admin", which is passed to JNDI context.
>>> What am I doing wrong?
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>>
>>
>
>
>
Re: Please help me to understand JAAS login for stanalone cilent
Posted by David Jencks <da...@yahoo.com>.
IIRC there was a way to do a remote login from a non-j2ee app client
in 1.1 but it was very hard and I don't remember how to get it to work.
Can you switch to 2.0.1? I'm not sure if the jndi security
parameters will result in a successful login but I think you can use
the OpenejbRemoteLoginModule to do a remote login over the openejb
protocol and this should save a token in the client that identifies
the server Subject. I don't know if anyone has tested this with a
non-ee client but I don't know of any reason it shouldn't work.
Maybe david blevins has more of an idea if anything else needs to be
configured in the client. You would need the geronimo-openejb jar in
the client's classpath along with the openejb client jar.
thanks
david jencks
On Aug 22, 2007, at 9:24 AM, David Blevins wrote:
> Hi Oleg,
>
> This feature was added to the standalone client in Geronimo 2.0.
>
> -David
>
> On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
>
>> Hi All,
>>
>> I am trying to set up JAAS login for standalone client.
>> On server I have successfully deployed EAR with the following
>> security section in geronimo-application.xml:
>>
>> <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
>> <default-principal realm-name="irbis">
>> <principal
>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinc
>> ipal"
>> name="anonymous"/>
>> </default-principal>
>> <role-mappings>
>> <role role-name="user">
>> <realm realm-name="irbis">
>> <principal name="user"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrin
>> cipal"/>
>> </realm>
>> </role>
>> </role-mappings>
>> </security>
>>
>> <gbean name="irbis"
>>
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>> <attribute name="realmName">irbis</attribute>
>> <reference name="ServerInfo">
>> <name>ServerInfo</name>
>> </reference>
>> <reference name="LoginService">
>> <name>JaasLoginService</name>
>> </reference>
>> <xml-reference name="LoginModuleConfiguration">
>> <login-config xmlns="http://geronimo.apache.org/xml/ns/
>> loginconfig-1.1">
>> <login-module control-flag="REQUIRED" server-
>> side="true" wrap-principals="true">
>> <login-domain-name>irbis</login-domain-name>
>> <login-module-
>> class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module-
>> class>
>> </login-module>
>> </login-config>
>> </xml-reference>
>> </gbean>
>>
>> Client code:
>>
>> LoginContext lc = new LoginContext("irbis", _callbackHandler);
>> lc.login();
>>
>> ...
>>
>> Properties props = new Properties();
>>
>> props.setProperty("java.naming.factory.initial",
>> "org.openejb.client.RemoteInitialContextFactory");
>> props.setProperty("java.naming.provider.url", "localhost:4201");
>> props.setProperty("java.naming.security.principal", "admin");
>> props.setProperty("java.naming.security.credentials", "******");
>> InitialContext ic = new InitialContext(props);
>> UserRegistryHome regHome = (UserRegistryHome)
>> PortableRemoteObject.narrow(ic.lookup("<bean jndi
>> name>",
>> UserRegistryHome.class);
>>
>> The first piece of code with lc.login() works fine, server login
>> module is invoked. But I am not sure that Geronimo stores the
>> principal and the credentials from the login somewhere in order
>> use them later during bean methods invocation (as JBoss does).
>> Probably this piece of code is useless for Geronimo, right?
>> So I provide principal and credentials during JNDI lookup() as
>> Geronimo documentation suggests. I hoped they were somehow
>> transferred to server LoginModule. But they are not. Instead I am
>> getting the following exception:
>>
>> java.rmi.AccessException: access denied
>> (javax.security.jacc.EJBMethodPermission
>> core.user.registry.UserRegistry create,Home,)
>> at org.openejb.security.EJBSecurityInterceptor.invoke
>> (EJBSecurityInterceptor.java:106)
>> at org.openejb.security.EJBRunAsInterceptor.invoke
>> (EJBRunAsInterceptor.java:85)
>> at org.openejb.slsb.StatelessInstanceInterceptor.invoke
>> (StatelessInstanceInterceptor.java:98)
>> at org.openejb.transaction.ContainerPolicy
>> $TxSupports.invoke(ContainerPolicy.java:198)
>> at
>> org.openejb.transaction.TransactionContextInterceptor.invoke
>> (TransactionContextInterceptor.java:80)
>> at org.openejb.SystemExceptionInterceptor.invoke
>> (SystemExceptionInterceptor.java:82)
>> at org.openejb.GenericEJBContainer
>> $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
>> at org.openejb.GenericEJBContainer.invoke
>> (GenericEJBContainer.java:238)
>> at org.openejb.server.ejbd.EjbRequestHandler.invoke
>> (EjbRequestHandler.java:297)
>> at
>> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE
>> (EjbRequestHandler.java:342)
>> at org.openejb.server.ejbd.EjbRequestHandler.processRequest
>> (EjbRequestHandler.java:206)
>> at org.openejb.server.ejbd.EjbDaemon.service
>> (EjbDaemon.java:150)
>> at org.openejb.server.ejbd.EjbServer.service
>> (EjbServer.java:87)
>> at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$
>> $d379d2ff.invoke(<generated>)
>> at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>> at
>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke
>> (FastMethodInvoker.java:38)
>> at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke
>> (GBeanOperation.java:122)
>> at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke
>> (GBeanInstance.java:817)
>> at org.apache.geronimo.gbean.runtime.RawInvoker.invoke
>> (RawInvoker.java:57)
>> at
>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke
>> (RawOperationInvoker.java:35)
>> at
>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept
>> (ProxyMethodInterceptor.java:96)
>> at org.activeio.xnet.ServerService$$EnhancerByCGLIB$
>> $6635a4ab.service(<generated>)
>> at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>> at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>> at org.apache.geronimo.pool.ThreadPool$1.run
>> (ThreadPool.java:172)
>> at org.apache.geronimo.pool.ThreadPool
>> $ContextClassLoaderRunnable.run(ThreadPool.java:289)
>> at EDU.oswego.cs.dl.util.concurrent.PooledExecutor
>> $Worker.run(Unknown Source)
>> at java.lang.Thread.run(Thread.java:595)
>>
>> Under debugger I see that inside EJBSecurityInterceptor the wrong
>> Subject is used, it's "anonymous", which is declared as default-
>> principal, and not "admin", which is passed to JNDI context.
>> What am I doing wrong?
>>
>> Thanks in advance,
>> Oleg
>>
>>
>
Re: Please help me to understand JAAS login for stanalone cilent
Posted by David Blevins <da...@visi.com>.
Hi Oleg,
This feature was added to the standalone client in Geronimo 2.0.
-David
On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
> Hi All,
>
> I am trying to set up JAAS login for standalone client.
> On server I have successfully deployed EAR with the following
> security section in geronimo-application.xml:
>
> <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
> <default-principal realm-name="irbis">
> <principal
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci
> pal"
> name="anonymous"/>
> </default-principal>
> <role-mappings>
> <role role-name="user">
> <realm realm-name="irbis">
> <principal name="user"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrinc
> ipal"/>
> </realm>
> </role>
> </role-mappings>
> </security>
>
> <gbean name="irbis"
>
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <attribute name="realmName">irbis</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <reference name="LoginService">
> <name>JaasLoginService</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <login-config xmlns="http://geronimo.apache.org/xml/ns/
> loginconfig-1.1">
> <login-module control-flag="REQUIRED" server-
> side="true" wrap-principals="true">
> <login-domain-name>irbis</login-domain-name>
> <login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</
> login-module-class>
> </login-module>
> </login-config>
> </xml-reference>
> </gbean>
>
> Client code:
>
> LoginContext lc = new LoginContext("irbis", _callbackHandler);
> lc.login();
>
> ...
>
> Properties props = new Properties();
>
> props.setProperty("java.naming.factory.initial",
> "org.openejb.client.RemoteInitialContextFactory");
> props.setProperty("java.naming.provider.url", "localhost:4201");
> props.setProperty("java.naming.security.principal", "admin");
> props.setProperty("java.naming.security.credentials", "******");
> InitialContext ic = new InitialContext(props);
> UserRegistryHome regHome = (UserRegistryHome)
> PortableRemoteObject.narrow(ic.lookup("<bean jndi
> name>",
> UserRegistryHome.class);
>
> The first piece of code with lc.login() works fine, server login
> module is invoked. But I am not sure that Geronimo stores the
> principal and the credentials from the login somewhere in order use
> them later during bean methods invocation (as JBoss does). Probably
> this piece of code is useless for Geronimo, right?
> So I provide principal and credentials during JNDI lookup() as
> Geronimo documentation suggests. I hoped they were somehow
> transferred to server LoginModule. But they are not. Instead I am
> getting the following exception:
>
> java.rmi.AccessException: access denied
> (javax.security.jacc.EJBMethodPermission
> core.user.registry.UserRegistry create,Home,)
> at org.openejb.security.EJBSecurityInterceptor.invoke
> (EJBSecurityInterceptor.java:106)
> at org.openejb.security.EJBRunAsInterceptor.invoke
> (EJBRunAsInterceptor.java:85)
> at org.openejb.slsb.StatelessInstanceInterceptor.invoke
> (StatelessInstanceInterceptor.java:98)
> at org.openejb.transaction.ContainerPolicy$TxSupports.invoke
> (ContainerPolicy.java:198)
> at
> org.openejb.transaction.TransactionContextInterceptor.invoke
> (TransactionContextInterceptor.java:80)
> at org.openejb.SystemExceptionInterceptor.invoke
> (SystemExceptionInterceptor.java:82)
> at org.openejb.GenericEJBContainer
> $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
> at org.openejb.GenericEJBContainer.invoke
> (GenericEJBContainer.java:238)
> at org.openejb.server.ejbd.EjbRequestHandler.invoke
> (EjbRequestHandler.java:297)
> at
> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE
> (EjbRequestHandler.java:342)
> at org.openejb.server.ejbd.EjbRequestHandler.processRequest
> (EjbRequestHandler.java:206)
> at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:
> 150)
> at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:
> 87)
> at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$
> $d379d2ff.invoke(<generated>)
> at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
> at
> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke
> (FastMethodInvoker.java:38)
> at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke
> (GBeanOperation.java:122)
> at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke
> (GBeanInstance.java:817)
> at org.apache.geronimo.gbean.runtime.RawInvoker.invoke
> (RawInvoker.java:57)
> at
> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke
> (RawOperationInvoker.java:35)
> at
> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept
> (ProxyMethodInterceptor.java:96)
> at org.activeio.xnet.ServerService$$EnhancerByCGLIB$
> $6635a4ab.service(<generated>)
> at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
> at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
> at org.apache.geronimo.pool.ThreadPool$1.run
> (ThreadPool.java:172)
> at org.apache.geronimo.pool.ThreadPool
> $ContextClassLoaderRunnable.run(ThreadPool.java:289)
> at EDU.oswego.cs.dl.util.concurrent.PooledExecutor
> $Worker.run(Unknown Source)
> at java.lang.Thread.run(Thread.java:595)
>
> Under debugger I see that inside EJBSecurityInterceptor the wrong
> Subject is used, it's "anonymous", which is declared as default-
> principal, and not "admin", which is passed to JNDI context.
> What am I doing wrong?
>
> Thanks in advance,
> Oleg
>
>