geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Nitz ...@ibis.ua>
Subject Re: Please help me to understand JAAS login for stanalone cilent
Date Thu, 23 Aug 2007 10:29:00 GMT
Hi David & David,

Thank you for your answers. I can't switch to 2.0.1 right now, I have
a task to use WebSphere Application Server Community Edition which is 
currently based on Geronimo 1.1.1.
Okay, I will do some fak.. *cough* workaround for now and will return to 
this later, when WAS CE will move to Geronimo 2.0.

Thanks,
Oleg

David Jencks wrote:
> IIRC there was a way to do a remote login from a non-j2ee app client in 
> 1.1 but it was very hard and I don't remember how to get it to work.
> 
> Can you switch to 2.0.1?  I'm not sure if the jndi security parameters 
> will result in a successful login but I think you can use the 
> OpenejbRemoteLoginModule to do a remote login over the openejb protocol 
> and this should save a token in the client that identifies the server 
> Subject.  I don't know if anyone has tested this with a non-ee client 
> but I don't know of any reason it shouldn't work.  Maybe david blevins 
> has more of an idea if anything else needs to be configured in the 
> client.  You would need the geronimo-openejb jar in the client's 
> classpath along with the openejb client jar.
> 
> thanks
> david jencks
> 
> On Aug 22, 2007, at 9:24 AM, David Blevins wrote:
> 
>> Hi Oleg,
>>
>> This feature was added to the standalone client in Geronimo 2.0.
>>
>> -David
>>
>> On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
>>
>>> Hi All,
>>>
>>> I am trying to set up JAAS login for standalone client.
>>> On server I have successfully deployed EAR with the following 
>>> security section in geronimo-application.xml:
>>>
>>>     <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
>>>         <default-principal realm-name="irbis">
>>>             <principal 
>>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" 
>>>
>>>                         name="anonymous"/>
>>>         </default-principal>
>>>         <role-mappings>
>>>             <role role-name="user">
>>>                 <realm realm-name="irbis">
>>>                     <principal name="user"
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>

>>>
>>>                 </realm>
>>>             </role>
>>>         </role-mappings>
>>>     </security>
>>>
>>>     <gbean name="irbis"
>>>         class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>>         <attribute name="realmName">irbis</attribute>
>>>         <reference name="ServerInfo">
>>>             <name>ServerInfo</name>
>>>         </reference>
>>>         <reference name="LoginService">
>>>             <name>JaasLoginService</name>
>>>         </reference>
>>>         <xml-reference name="LoginModuleConfiguration">
>>>             <login-config 
>>> xmlns="http://geronimo.apache.org/xml/ns/loginconfig-1.1">
>>>                 <login-module control-flag="REQUIRED" 
>>> server-side="true" wrap-principals="true">
>>>                     <login-domain-name>irbis</login-domain-name>
>>> <login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module-class>

>>>
>>>                 </login-module>
>>>             </login-config>
>>>         </xml-reference>
>>>     </gbean>
>>>
>>> Client code:
>>>
>>> LoginContext lc = new LoginContext("irbis", _callbackHandler);
>>> lc.login();
>>>
>>> ...
>>>
>>> Properties props = new Properties();
>>>
>>> props.setProperty("java.naming.factory.initial",
>>>                   "org.openejb.client.RemoteInitialContextFactory");
>>> props.setProperty("java.naming.provider.url", "localhost:4201");
>>> props.setProperty("java.naming.security.principal", "admin");
>>> props.setProperty("java.naming.security.credentials", "******");
>>> InitialContext ic = new InitialContext(props);
>>> UserRegistryHome regHome = (UserRegistryHome)
>>>                PortableRemoteObject.narrow(ic.lookup("<bean jndi name>",
>>>                UserRegistryHome.class);
>>>
>>> The first piece of code with lc.login() works fine, server login 
>>> module is invoked. But I am not sure that Geronimo stores the 
>>> principal and the credentials from the login somewhere in order use 
>>> them later during bean methods invocation (as JBoss does). Probably 
>>> this piece of code is useless for Geronimo, right?
>>> So I provide principal and credentials during JNDI lookup() as 
>>> Geronimo documentation suggests. I hoped they were somehow 
>>> transferred to server LoginModule. But they are not. Instead I am 
>>> getting the following exception:
>>>
>>> java.rmi.AccessException: access denied 
>>> (javax.security.jacc.EJBMethodPermission 
>>> core.user.registry.UserRegistry create,Home,)
>>>         at 
>>> org.openejb.security.EJBSecurityInterceptor.invoke(EJBSecurityInterceptor.java:106)

>>>
>>>         at 
>>> org.openejb.security.EJBRunAsInterceptor.invoke(EJBRunAsInterceptor.java:85)

>>>
>>>         at 
>>> org.openejb.slsb.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:98)

>>>
>>>         at 
>>> org.openejb.transaction.ContainerPolicy$TxSupports.invoke(ContainerPolicy.java:198)

>>>
>>>         at 
>>> org.openejb.transaction.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:80)

>>>
>>>         at 
>>> org.openejb.SystemExceptionInterceptor.invoke(SystemExceptionInterceptor.java:82)

>>>
>>>         at 
>>> org.openejb.GenericEJBContainer$DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)

>>>
>>>         at 
>>> org.openejb.GenericEJBContainer.invoke(GenericEJBContainer.java:238)
>>>         at 
>>> org.openejb.server.ejbd.EjbRequestHandler.invoke(EjbRequestHandler.java:297)

>>>
>>>         at 
>>> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE(EjbRequestHandler.java:342)

>>>
>>>         at 
>>> org.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:206)

>>>
>>>         at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:150)
>>>         at org.openejb.server.ejbd.EjbServer.service(EjbServer.java:87)
>>>         at 
>>> org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$$d379d2ff.invoke(<generated>)

>>>
>>>         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>>>         at 
>>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)

>>>
>>>         at 
>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:122)

>>>
>>>         at 
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:817)

>>>
>>>         at 
>>> org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
>>>         at 
>>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)

>>>
>>>         at 
>>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)

>>>
>>>         at 
>>> org.activeio.xnet.ServerService$$EnhancerByCGLIB$$6635a4ab.service(<generated>)

>>>
>>>         at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>>>         at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>>>         at 
>>> org.apache.geronimo.pool.ThreadPool$1.run(ThreadPool.java:172)
>>>         at 
>>> org.apache.geronimo.pool.ThreadPool$ContextClassLoaderRunnable.run(ThreadPool.java:289)

>>>
>>>         at 
>>> EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown 
>>> Source)
>>>         at java.lang.Thread.run(Thread.java:595)
>>>
>>> Under debugger I see that inside EJBSecurityInterceptor the wrong 
>>> Subject is used, it's "anonymous", which is declared as 
>>> default-principal, and not "admin", which is passed to JNDI context.
>>> What am I doing wrong?
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>>
>>
> 
> 
> 



Mime
View raw message