geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Please help me to understand JAAS login for stanalone cilent
Date Wed, 22 Aug 2007 21:44:11 GMT
IIRC there was a way to do a remote login from a non-j2ee app client  
in 1.1 but it was very hard and I don't remember how to get it to work.

Can you switch to 2.0.1?  I'm not sure if the jndi security  
parameters will result in a successful login but I think you can use  
the OpenejbRemoteLoginModule to do a remote login over the openejb  
protocol and this should save a token in the client that identifies  
the server Subject.  I don't know if anyone has tested this with a  
non-ee client but I don't know of any reason it shouldn't work.   
Maybe david blevins has more of an idea if anything else needs to be  
configured in the client.  You would need the geronimo-openejb jar in  
the client's classpath along with the openejb client jar.

thanks
david jencks

On Aug 22, 2007, at 9:24 AM, David Blevins wrote:

> Hi Oleg,
>
> This feature was added to the standalone client in Geronimo 2.0.
>
> -David
>
> On Aug 22, 2007, at 7:09 AM, Oleg Nitz wrote:
>
>> Hi All,
>>
>> I am trying to set up JAAS login for standalone client.
>> On server I have successfully deployed EAR with the following  
>> security section in geronimo-application.xml:
>>
>>     <security xmlns="http://geronimo.apache.org/xml/ns/security-1.1">
>>         <default-principal realm-name="irbis">
>>             <principal  
>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrinc 
>> ipal"
>>                         name="anonymous"/>
>>         </default-principal>
>>         <role-mappings>
>>             <role role-name="user">
>>                 <realm realm-name="irbis">
>>                     <principal name="user"
>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrin 
>> cipal"/>
>>                 </realm>
>>             </role>
>>         </role-mappings>
>>     </security>
>>
>>     <gbean name="irbis"
>>          
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>         <attribute name="realmName">irbis</attribute>
>>         <reference name="ServerInfo">
>>             <name>ServerInfo</name>
>>         </reference>
>>         <reference name="LoginService">
>>             <name>JaasLoginService</name>
>>         </reference>
>>         <xml-reference name="LoginModuleConfiguration">
>>             <login-config xmlns="http://geronimo.apache.org/xml/ns/ 
>> loginconfig-1.1">
>>                 <login-module control-flag="REQUIRED" server- 
>> side="true" wrap-principals="true">
>>                     <login-domain-name>irbis</login-domain-name>
>> <login-module- 
>> class>ua.odessa.ibis.start.IServerLoginModuleGeneric</login-module- 
>> class>
>>                 </login-module>
>>             </login-config>
>>         </xml-reference>
>>     </gbean>
>>
>> Client code:
>>
>> LoginContext lc = new LoginContext("irbis", _callbackHandler);
>> lc.login();
>>
>> ...
>>
>> Properties props = new Properties();
>>
>> props.setProperty("java.naming.factory.initial",
>>                   "org.openejb.client.RemoteInitialContextFactory");
>> props.setProperty("java.naming.provider.url", "localhost:4201");
>> props.setProperty("java.naming.security.principal", "admin");
>> props.setProperty("java.naming.security.credentials", "******");
>> InitialContext ic = new InitialContext(props);
>> UserRegistryHome regHome = (UserRegistryHome)
>>                PortableRemoteObject.narrow(ic.lookup("<bean jndi  
>> name>",
>>                UserRegistryHome.class);
>>
>> The first piece of code with lc.login() works fine, server login  
>> module is invoked. But I am not sure that Geronimo stores the  
>> principal and the credentials from the login somewhere in order  
>> use them later during bean methods invocation (as JBoss does).  
>> Probably this piece of code is useless for Geronimo, right?
>> So I provide principal and credentials during JNDI lookup() as  
>> Geronimo documentation suggests. I hoped they were somehow  
>> transferred to server LoginModule. But they are not. Instead I am  
>> getting the following exception:
>>
>> java.rmi.AccessException: access denied  
>> (javax.security.jacc.EJBMethodPermission  
>> core.user.registry.UserRegistry create,Home,)
>>         at org.openejb.security.EJBSecurityInterceptor.invoke 
>> (EJBSecurityInterceptor.java:106)
>>         at org.openejb.security.EJBRunAsInterceptor.invoke 
>> (EJBRunAsInterceptor.java:85)
>>         at org.openejb.slsb.StatelessInstanceInterceptor.invoke 
>> (StatelessInstanceInterceptor.java:98)
>>         at org.openejb.transaction.ContainerPolicy 
>> $TxSupports.invoke(ContainerPolicy.java:198)
>>         at  
>> org.openejb.transaction.TransactionContextInterceptor.invoke 
>> (TransactionContextInterceptor.java:80)
>>         at org.openejb.SystemExceptionInterceptor.invoke 
>> (SystemExceptionInterceptor.java:82)
>>         at org.openejb.GenericEJBContainer 
>> $DefaultSubjectInterceptor.invoke(GenericEJBContainer.java:549)
>>         at org.openejb.GenericEJBContainer.invoke 
>> (GenericEJBContainer.java:238)
>>         at org.openejb.server.ejbd.EjbRequestHandler.invoke 
>> (EjbRequestHandler.java:297)
>>         at  
>> org.openejb.server.ejbd.EjbRequestHandler.doEjbHome_CREATE 
>> (EjbRequestHandler.java:342)
>>         at org.openejb.server.ejbd.EjbRequestHandler.processRequest 
>> (EjbRequestHandler.java:206)
>>         at org.openejb.server.ejbd.EjbDaemon.service 
>> (EjbDaemon.java:150)
>>         at org.openejb.server.ejbd.EjbServer.service 
>> (EjbServer.java:87)
>>         at org.openejb.server.ejbd.EjbServer$$FastClassByCGLIB$ 
>> $d379d2ff.invoke(<generated>)
>>         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>>         at  
>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke 
>> (FastMethodInvoker.java:38)
>>         at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke 
>> (GBeanOperation.java:122)
>>         at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke 
>> (GBeanInstance.java:817)
>>         at org.apache.geronimo.gbean.runtime.RawInvoker.invoke 
>> (RawInvoker.java:57)
>>         at  
>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke 
>> (RawOperationInvoker.java:35)
>>         at  
>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept 
>> (ProxyMethodInterceptor.java:96)
>>         at org.activeio.xnet.ServerService$$EnhancerByCGLIB$ 
>> $6635a4ab.service(<generated>)
>>         at org.activeio.xnet.ServicePool$2.run(ServicePool.java:67)
>>         at org.activeio.xnet.ServicePool$3.run(ServicePool.java:90)
>>         at org.apache.geronimo.pool.ThreadPool$1.run 
>> (ThreadPool.java:172)
>>         at org.apache.geronimo.pool.ThreadPool 
>> $ContextClassLoaderRunnable.run(ThreadPool.java:289)
>>         at EDU.oswego.cs.dl.util.concurrent.PooledExecutor 
>> $Worker.run(Unknown Source)
>>         at java.lang.Thread.run(Thread.java:595)
>>
>> Under debugger I see that inside EJBSecurityInterceptor the wrong  
>> Subject is used, it's "anonymous", which is declared as default- 
>> principal, and not "admin", which is passed to JNDI context.
>> What am I doing wrong?
>>
>> Thanks in advance,
>> Oleg
>>
>>
>


Mime
View raw message