geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Nitz ...@ibis.ua>
Subject Please help me to understand JAAS login for stanalone cilent
Date Wed, 22 Aug 2007 14:09:03 GMT
Hi All,

I am trying to set up JAAS login for standalone client.
On server I have successfully deployed EAR with the following security 
section in geronimo-application.xml:

     <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
         <default-principal realm-name="irbis">
             <principal 
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
                         name="anonymous"/>
         </default-principal>
         <role-mappings>
             <role role-name="user">
                 <realm realm-name="irbis">
                     <principal name="user"
 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
                 </realm>
             </role>
         </role-mappings>
     </security>

     <gbean name="irbis"
         class="org.apache.geronimo.security.realm.GenericSecurityRealm">
         <attribute name="realmName">irbis</attribute>
         <reference name="ServerInfo">
             <name>ServerInfo</name>
         </reference>
         <reference name="LoginService">
             <name>JaasLoginService</name>
         </reference>
         <xml-reference name="LoginModuleConfiguration">
             <login-config 
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-1.1">
                 <login-module control-flag="REQUIRED" 
server-side="true" wrap-principals="true">
                     <login-domain-name>irbis</login-domain-name>
 
<login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module-class>
                 </login-module>
             </login-config>
         </xml-reference>
     </gbean>

Client code:

LoginContext lc = new LoginContext("irbis", _callbackHandler);
lc.login();

...

Properties props = new Properties();

props.setProperty("java.naming.factory.initial",
                   "org.openejb.client.RemoteInitialContextFactory");
props.setProperty("java.naming.provider.url", "localhost:4201");
props.setProperty("java.naming.security.principal", "admin");
props.setProperty("java.naming.security.credentials", "******");
InitialContext ic = new InitialContext(props);
UserRegistryHome regHome = (UserRegistryHome)
                PortableRemoteObject.narrow(ic.lookup("<bean jndi name>",
                UserRegistryHome.class);

The first piece of code with lc.login() works fine, server login module 
is invoked. But I am not sure that Geronimo stores the principal and the 
credentials from the login somewhere in order use them later during bean 
methods invocation (as JBoss does). Probably this piece of code is 
useless for Geronimo, right?
So I provide principal and credentials during JNDI lookup() as Geronimo 
documentation suggests. I hoped they were somehow transferred to server 
LoginModule. But they are not. Instead I am getting the following exception:

java.rmi.AccessException: access denied 
(javax.security.jacc.EJBMethodPermission core.user.registry.UserRegistry 
create,Home,)
         at 
org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:106)
         at 
org.openejb.security.EJBRunAsInterceptor.invoke(EJBRunAsInterceptor.java:85)
         at 
org.openejb.slsb.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:98)
         at 
org.openejb.transaction.ContainerPolicy$TxSupports.invoke(ContainerPolicy.java:198)
         at 
org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)
         at 
org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)
         at 
org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
         at 
org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
         at 
org.openejb.server.ejbd.EjbRequestHandler.invoke(EjbRequestHandler.java:297)
         at 
org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE(EjbRequestHandler.java:342)
         at 
org.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:206)
         at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:150)
         at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:87)
         at 
org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$$d379d2ff.invoke(<generated>)
         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
         at 
org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
         at 
org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:122)
         at 
org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:817)
         at 
org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
         at 
org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
         at 
org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
         at 
org.activeio.xnet.ServerService$$EnhancerByCGLIB$$6635a4ab.service(<generated>)
         at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
         at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
         at org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:172)
         at 
org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:289)
         at 
EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown Source)
         at java.lang.Thread.run(Thread.java:595)

Under debugger I see that inside EJBSecurityInterceptor the wrong 
Subject is used, it's "anonymous", which is declared as 
default-principal, and not "admin", which is passed to JNDI context.
What am I doing wrong?

Thanks in advance,
Oleg


Mime
View raw message