geronimo-user mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	David Blevins <david.blev...@visi.com>
Subject	Re: Please help me to understand JAAS login for stanalone cilent
Date	Wed, 22 Aug 2007 16:24:06 GMT
Hi Oleg, This feature was added to the standalone client in Geronimo 2.0. -David On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote: > Hi All, > > I am trying to set up JAAS login for standalone client. > On server I have successfully deployed EAR with the following > security section in geronimo-application.xml: > > <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1"> > <default-principal realm-name="irbis"> > <principal > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinci > pal" > name="anonymous"/> > </default-principal> > <role-mappings> > <role role-name="user"> > <realm realm-name="irbis"> > <principal name="user" > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrinc > ipal"/> > </realm> > </role> > </role-mappings> > </security> > > <gbean name="irbis" > > class="org.apache.geronimo.security.realm.GenericSecurityRealm"> > <attribute name="realmName">irbis</attribute> > <reference name="ServerInfo"> > <name>ServerInfo</name> > </reference> > <reference name="LoginService"> > <name>JaasLoginService</name> > </reference> > <xml-reference name="LoginModuleConfiguration"> > <login-config xmlns="http://geronimo.apache.org/xml/ns/ > loginconfig-1.1"> > <login-module control-flag="REQUIRED" server- > side="true" wrap-principals="true"> > <login-domain-name>irbis</login-domain-name> > <login-module-class>ua.odessa.ibis.start.IServerLoginModuleGeneric</ > login-module-class> > </login-module> > </login-config> > </xml-reference> > </gbean> > > Client code: > > LoginContext lc = new LoginContext("irbis", _callbackHandler); > lc.login(); > > ... > > Properties props = new Properties(); > > props.setProperty("java.naming.factory.initial", > "org.openejb.client.RemoteInitialContextFactory"); > props.setProperty("java.naming.provider.url", "localhost:4201"); > props.setProperty("java.naming.security.principal", "admin"); > props.setProperty("java.naming.security.credentials", "******"); > InitialContext ic = new InitialContext(props); > UserRegistryHome regHome = (UserRegistryHome) > PortableRemoteObject.narrow(ic.lookup("<bean jndi > name>", > UserRegistryHome.class); > > The first piece of code with lc.login() works fine, server login > module is invoked. But I am not sure that Geronimo stores the > principal and the credentials from the login somewhere in order use > them later during bean methods invocation (as JBoss does). Probably > this piece of code is useless for Geronimo, right? > So I provide principal and credentials during JNDI lookup() as > Geronimo documentation suggests. I hoped they were somehow > transferred to server LoginModule. But they are not. Instead I am > getting the following exception: > > java.rmi.AccessException: access denied > (javax.security.jacc.EJBMethodPermission > core.user.registry.UserRegistry create,Home,) > at org.openejb.security.EJBSecurityInterceptor.invoke > (EJBSecurityInterceptor.java:106) > at org.openejb.security.EJBRunAsInterceptor.invoke > (EJBRunAsInterceptor.java:85) > at org.openejb.slsb.StatelessInstanceInterceptor.invoke > (StatelessInstanceInterceptor.java:98) > at org.openejb.transaction.ContainerPolicy$TxSupports.invoke > (ContainerPolicy.java:198) > at > org.openejb.transaction.TransactionContextInterceptor.invoke > (TransactionContextInterceptor.java:80) > at org.openejb.SystemExceptionInterceptor.invoke > (SystemExceptionInterceptor.java:82) > at org.openejb.GenericEJBContainer > $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549) > at org.openejb.GenericEJBContainer.invoke > (GenericEJBContainer.java:238) > at org.openejb.server.ejbd.EjbRequestHandler.invoke > (EjbRequestHandler.java:297) > at > org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE > (EjbRequestHandler.java:342) > at org.openejb.server.ejbd.EjbRequestHandler.processRequest > (EjbRequestHandler.java:206) > at org.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java: > 150) > at org.openejb.server.ejbd.EjbServer.service(EjbServer.java: > 87) > at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$ > $d379d2ff.invoke(<generated>) > at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53) > at > org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke > (FastMethodInvoker.java:38) > at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke > (GBeanOperation.java:122) > at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke > (GBeanInstance.java:817) > at org.apache.geronimo.gbean.runtime.RawInvoker.invoke > (RawInvoker.java:57) > at > org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke > (RawOperationInvoker.java:35) > at > org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept > (ProxyMethodInterceptor.java:96) > at org.activeio.xnet.ServerService$$EnhancerByCGLIB$ > $6635a4ab.service(<generated>) > at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67) > at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90) > at org.apache.geronimo.pool.ThreadPool$1.run > (ThreadPool.java:172) > at org.apache.geronimo.pool.ThreadPool > $ContextClassLoaderRunnable.run(ThreadPool.java:289) > at EDU.oswego.cs.dl.util.concurrent.PooledExecutor > $Worker.run(Unknown Source) > at java.lang.Thread.run(Thread.java:595) > > Under debugger I see that inside EJBSecurityInterceptor the wrong > Subject is used, it's "anonymous", which is declared as default- > principal, and not "admin", which is passed to JNDI context. > What am I doing wrong? > > Thanks in advance, > Oleg > >
Mime	Unnamed text/plain (inline, 7-Bit, 6143 bytes)
	View raw message