geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: Please help me to understand JAAS login for stanalone cilent
Date Wed, 22 Aug 2007 23:34:31 GMT
David, do you know if the SecurityProvider in Geronimo will supply a  
default value of realm when plain user/pass login is done?

If so than JNDI login as follows should work:

    props.setProperty("java.naming.security.principal", "admin");
    props.setProperty("java.naming.security.credentials", "******");
    InitialContext ic = new InitialContext(props);

As well the ClientLoginModule built into the openejb-client jar.

And I'll go on record again saying I think supporting realm as a  
"namespace" in the username is a nice non-required feature.  Then you  
could support:

    props.setProperty("java.naming.security.principal", "irbis:admin");
    props.setProperty("java.naming.security.credentials", "******");
    InitialContext ic = new InitialContext(props);

Could even make the separator configurable in the server.

-David

On Aug 22, 2007, at 2:44 PM, David Jencks wrote:

> IIRC there was a way to do a remote login from a non-j2ee app  
> client in 1.1 but it was very hard and I don't remember how to get  
> it to work.
>
> Can you switch to 2.0.1?  I'm not sure if the jndi security  
> parameters will result in a successful login but I think you can  
> use the OpenejbRemoteLoginModule to do a remote login over the  
> openejb protocol and this should save a token in the client that  
> identifies the server Subject.  I don't know if anyone has tested  
> this with a non-ee client but I don't know of any reason it  
> shouldn't work.  Maybe david blevins has more of an idea if  
> anything else needs to be configured in the client.  You would need  
> the geronimo-openejb jar in the client's classpath along with the  
> openejb client jar.
>
> thanks
> david jencks
>
> On Aug 22, 2007, at 9:24 AM, David Blevins wrote:
>
>> Hi Oleg,
>>
>> This feature was added to the standalone client in Geronimo 2.0.
>>
>> -David
>>
>> On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
>>
>>> Hi All,
>>>
>>> I am trying to set up JAAS login for standalone client.
>>> On server I have successfully deployed EAR with the following  
>>> security section in geronimo-application.xml:
>>>
>>>     <security xmlns="http://geronimo.apache.org/xml/ns/ 
>>> security-1.1">
>>>         <default-principal realm-name="irbis">
>>>             <principal  
>>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrin 
>>> cipal"
>>>                         name="anonymous"/>
>>>         </default-principal>
>>>         <role-mappings>
>>>             <role role-name="user">
>>>                 <realm realm-name="irbis">
>>>                     <principal name="user"
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPri 
>>> ncipal"/>
>>>                 </realm>
>>>             </role>
>>>         </role-mappings>
>>>     </security>
>>>
>>>     <gbean name="irbis"
>>>          
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>>         <attribute name="realmName">irbis</attribute>
>>>         <reference name="ServerInfo">
>>>             <name>ServerInfo</name>
>>>         </reference>
>>>         <reference name="LoginService">
>>>             <name>JaasLoginService</name>
>>>         </reference>
>>>         <xml-reference name="LoginModuleConfiguration">
>>>             <login-config xmlns="http://geronimo.apache.org/xml/ 
>>> ns/loginconfig-1.1">
>>>                 <login-module control-flag="REQUIRED" server- 
>>> side="true" wrap-principals="true">
>>>                     <login-domain-name>irbis</login-domain-name>
>>> <login-module- 
>>> class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login- 
>>> module-class>
>>>                 </login-module>
>>>             </login-config>
>>>         </xml-reference>
>>>     </gbean>
>>>
>>> Client code:
>>>
>>> LoginContext lc = new LoginContext("irbis", _callbackHandler);
>>> lc.login();
>>>
>>> ...
>>>
>>> Properties props = new Properties();
>>>
>>> props.setProperty("java.naming.factory.initial",
>>>                   "org.openejb.client.RemoteInitialContextFactory");
>>> props.setProperty("java.naming.provider.url", "localhost:4201");
>>> props.setProperty("java.naming.security.principal", "admin");
>>> props.setProperty("java.naming.security.credentials", "******");
>>> InitialContext ic = new InitialContext(props);
>>> UserRegistryHome regHome = (UserRegistryHome)
>>>                PortableRemoteObject.narrow(ic.lookup("<bean jndi  
>>> name>",
>>>                UserRegistryHome.class);
>>>
>>> The first piece of code with lc.login() works fine, server login  
>>> module is invoked. But I am not sure that Geronimo stores the  
>>> principal and the credentials from the login somewhere in order  
>>> use them later during bean methods invocation (as JBoss does).  
>>> Probably this piece of code is useless for Geronimo, right?
>>> So I provide principal and credentials during JNDI lookup() as  
>>> Geronimo documentation suggests. I hoped they were somehow  
>>> transferred to server LoginModule. But they are not. Instead I am  
>>> getting the following exception:
>>>
>>> java.rmi.AccessException: access denied  
>>> (javax.security.jacc.EJBMethodPermission  
>>> core.user.registry.UserRegistry create,Home,)
>>>         at org.openejb.security.EJBSecurityInterceptor.invoke 
>>> (EJBSecurityInterceptor.java:106)
>>>         at org.openejb.security.EJBRunAsInterceptor.invoke 
>>> (EJBRunAsInterceptor.java:85)
>>>         at org.openejb.slsb.StatelessInstanceInterceptor.invoke 
>>> (StatelessInstanceInterceptor.java:98)
>>>         at org.openejb.transaction.ContainerPolicy 
>>> $TxSupports.invoke(ContainerPolicy.java:198)
>>>         at  
>>> org.openejb.transaction.TransactionContextInterceptor.invoke 
>>> (TransactionContextInterceptor.java:80)
>>>         at org.openejb.SystemExceptionInterceptor.invoke 
>>> (SystemExceptionInterceptor.java:82)
>>>         at org.openejb.GenericEJBContainer 
>>> $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
>>>         at org.openejb.GenericEJBContainer.invoke 
>>> (GenericEJBContainer.java:238)
>>>         at org.openejb.server.ejbd.EjbRequestHandler.invoke 
>>> (EjbRequestHandler.java:297)
>>>         at  
>>> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE 
>>> (EjbRequestHandler.java:342)
>>>         at  
>>> org.openejb.server.ejbd.EjbRequestHandler.processRequest 
>>> (EjbRequestHandler.java:206)
>>>         at org.openejb.server.ejbd.EjbDaemon.service 
>>> (EjbDaemon.java:150)
>>>         at org.openejb.server.ejbd.EjbServer.service 
>>> (EjbServer.java:87)
>>>         at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$ 
>>> $d379d2ff.invoke(<generated>)
>>>         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java: 
>>> 53)
>>>         at  
>>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke 
>>> (FastMethodInvoker.java:38)
>>>         at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke 
>>> (GBeanOperation.java:122)
>>>         at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke 
>>> (GBeanInstance.java:817)
>>>         at org.apache.geronimo.gbean.runtime.RawInvoker.invoke 
>>> (RawInvoker.java:57)
>>>         at  
>>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke 
>>> (RawOperationInvoker.java:35)
>>>         at  
>>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept 
>>> (ProxyMethodInterceptor.java:96)
>>>         at org.activeio.xnet.ServerService$$EnhancerByCGLIB$ 
>>> $6635a4ab.service(<generated>)
>>>         at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>>>         at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>>>         at org.apache.geronimo.pool.ThreadPool$1.run 
>>> (ThreadPool.java:172)
>>>         at org.apache.geronimo.pool.ThreadPool 
>>> $ContextClassLoaderRunnable.run(ThreadPool.java:289)
>>>         at EDU.oswego.cs.dl.util.concurrent.PooledExecutor 
>>> $Worker.run(Unknown Source)
>>>         at java.lang.Thread.run(Thread.java:595)
>>>
>>> Under debugger I see that inside EJBSecurityInterceptor the wrong  
>>> Subject is used, it's "anonymous", which is declared as default- 
>>> principal, and not "admin", which is passed to JNDI context.
>>> What am I doing wrong?
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>>
>>
>
>


Mime
View raw message