geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: Please help me to understand JAAS login for stanalone cilent
Date Wed, 22 Aug 2007 16:24:06 GMT
Hi Oleg,

This feature was added to the standalone client in Geronimo 2.0.

-David

On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:

> Hi All,
>
> I am trying to set up JAAS login for standalone client.
> On server I have successfully deployed EAR with the following  
> security section in geronimo-application.xml:
>
>     <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
>         <default-principal realm-name="irbis">
>             <principal  
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci 
> pal"
>                         name="anonymous"/>
>         </default-principal>
>         <role-mappings>
>             <role role-name="user">
>                 <realm realm-name="irbis">
>                     <principal name="user"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrinc 
> ipal"/>
>                 </realm>
>             </role>
>         </role-mappings>
>     </security>
>
>     <gbean name="irbis"
>          
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>         <attribute name="realmName">irbis</attribute>
>         <reference name="ServerInfo">
>             <name>ServerInfo</name>
>         </reference>
>         <reference name="LoginService">
>             <name>JaasLoginService</name>
>         </reference>
>         <xml-reference name="LoginModuleConfiguration">
>             <login-config xmlns="http://geronimo.apache.org/xml/ns/ 
> loginconfig-1.1">
>                 <login-module control-flag="REQUIRED" server- 
> side="true" wrap-principals="true">
>                     <login-domain-name>irbis</login-domain-name>
> <login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</ 
> login-module-class>
>                 </login-module>
>             </login-config>
>         </xml-reference>
>     </gbean>
>
> Client code:
>
> LoginContext lc = new LoginContext("irbis", _callbackHandler);
> lc.login();
>
> ...
>
> Properties props = new Properties();
>
> props.setProperty("java.naming.factory.initial",
>                   "org.openejb.client.RemoteInitialContextFactory");
> props.setProperty("java.naming.provider.url", "localhost:4201");
> props.setProperty("java.naming.security.principal", "admin");
> props.setProperty("java.naming.security.credentials", "******");
> InitialContext ic = new InitialContext(props);
> UserRegistryHome regHome = (UserRegistryHome)
>                PortableRemoteObject.narrow(ic.lookup("<bean jndi  
> name>",
>                UserRegistryHome.class);
>
> The first piece of code with lc.login() works fine, server login  
> module is invoked. But I am not sure that Geronimo stores the  
> principal and the credentials from the login somewhere in order use  
> them later during bean methods invocation (as JBoss does). Probably  
> this piece of code is useless for Geronimo, right?
> So I provide principal and credentials during JNDI lookup() as  
> Geronimo documentation suggests. I hoped they were somehow  
> transferred to server LoginModule. But they are not. Instead I am  
> getting the following exception:
>
> java.rmi.AccessException: access denied  
> (javax.security.jacc.EJBMethodPermission  
> core.user.registry.UserRegistry create,Home,)
>         at org.openejb.security.EJBSecurityInterceptor.invoke 
> (EJBSecurityInterceptor.java:106)
>         at org.openejb.security.EJBRunAsInterceptor.invoke 
> (EJBRunAsInterceptor.java:85)
>         at org.openejb.slsb.StatelessInstanceInterceptor.invoke 
> (StatelessInstanceInterceptor.java:98)
>         at org.openejb.transaction.ContainerPolicy$TxSupports.invoke 
> (ContainerPolicy.java:198)
>         at  
> org.openejb.transaction.TransactionContextInterceptor.invoke 
> (TransactionContextInterceptor.java:80)
>         at org.openejb.SystemExceptionInterceptor.invoke 
> (SystemExceptionInterceptor.java:82)
>         at org.openejb.GenericEJBContainer 
> $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
>         at org.openejb.GenericEJBContainer.invoke 
> (GenericEJBContainer.java:238)
>         at org.openejb.server.ejbd.EjbRequestHandler.invoke 
> (EjbRequestHandler.java:297)
>         at  
> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE 
> (EjbRequestHandler.java:342)
>         at org.openejb.server.ejbd.EjbRequestHandler.processRequest 
> (EjbRequestHandler.java:206)
>         at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java: 
> 150)
>         at org.openejb.server.ejbd.EjbServer.service(EjbServer.java: 
> 87)
>         at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$ 
> $d379d2ff.invoke(<generated>)
>         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>         at  
> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke 
> (FastMethodInvoker.java:38)
>         at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke 
> (GBeanOperation.java:122)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke 
> (GBeanInstance.java:817)
>         at org.apache.geronimo.gbean.runtime.RawInvoker.invoke 
> (RawInvoker.java:57)
>         at  
> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke 
> (RawOperationInvoker.java:35)
>         at  
> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept 
> (ProxyMethodInterceptor.java:96)
>         at org.activeio.xnet.ServerService$$EnhancerByCGLIB$ 
> $6635a4ab.service(<generated>)
>         at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>         at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>         at org.apache.geronimo.pool.ThreadPool$1.run 
> (ThreadPool.java:172)
>         at org.apache.geronimo.pool.ThreadPool 
> $ContextClassLoaderRunnable.run(ThreadPool.java:289)
>         at EDU.oswego.cs.dl.util.concurrent.PooledExecutor 
> $Worker.run(Unknown Source)
>         at java.lang.Thread.run(Thread.java:595)
>
> Under debugger I see that inside EJBSecurityInterceptor the wrong  
> Subject is used, it's "anonymous", which is declared as default- 
> principal, and not "admin", which is passed to JNDI context.
> What am I doing wrong?
>
> Thanks in advance,
> Oleg
>
>


Mime
View raw message