geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Trouble obtaining JaaS login context from within EJB
Date Fri, 19 Jun 2009 14:59:01 GMT

On Jun 19, 2009, at 6:44 AM, kistler wrote:

> Hello,
> I'm currently developing an Enterprise application which Comprises  
> of a
> servlet and ejb for Geronimo 2.1 and I have secured the Ejb with a  
> Security
> Realm configured to authenticate against a SQLLoginModule.  I'm  
> confident
> that this is authenticating correctly as I have done negative and  
> positive
> testing.
> I'm testing my ejb my connecting to it from a servlet as follows:
> 		CallbackHandler handler = new UserIdPasswordCallbackHandler(user,
> password);
> 		LoginContext ctx = new LoginContext("SecurityRealm",handler);
> 		ctx.login();
> This succeeds when supplied the correct credentials and throws  
> exceptions
> with invalid credentials.

I assume this is a standalone test not part of your application?   
Doing this will not tell geronimo anything about the Subject you have  
created and your ejb will not be secured from the servlet.

> I obtain a reference to the remote interface as follows:
> Properties prop=new Properties();
> 			prop.put(Context.INITIAL_CONTEXT_FACTORY,
> "org.apache.openejb.client.RemoteInitialContextFactory");
> 			prop.put("java.naming.provider.url", "ejbd://localhost:4201");
> 			Context context = new InitialContext(prop);
> Object o = context.lookup("SessionManagerBeanRemote");
> SessionManagerRemote remote = (SessionManagerRemote)o;
> This works correctly as I am able to call my remote ejb methods!

yes, and there is no security in place.  If you are calling from the  
servlet you did the test login from, the Subject info will not be  
propagated to the ejb container.

> Now - the piece I am missing is I need to be able to obtain the  
> current
> Subject that was authenticated.  ie - I need to know the identity of  
> the
> user that has been authenticated to use this ejb and is invoking  
> it.  So if
> joe was authenticated to use the SessionManager - I need to be able to
> obtain joe's login name.

You probably want first to set up container managed security.  Easiest  
is to use one of the built in authentication methods for the web app.   
If you don't like this, you should call one of the geronimo  
ContextManager.login methods for your login and then

Callers oldCallers = ContextManager.setCallers(subject, subject);
try {
//do secured stuff like calling the ejb
} finally {

Or if you are adventurous you can use (unreleased) geronimo 2.2 +  
jetty7 with a jaspic authentication module.

At this point, Juergens suggestion of using  
sessionContext.getCallerPrincipal() in the ejb will work.

david jencks
> I believe if I was within a web container I'd be able to use the  
> equivalent
> of:  HttpServletRequest.getUserPrincipal() ...  Can someone point me  
> to a
> reference, decently documented example or something that will tell  
> me what
> API I need to use?  I'm happy to do some reading but I've looked  
> around
> quite a bit and I think I might be missing something...  There  
> doesn't seem
> to be a clear reference to this is the standard geronimo  
> documentation -
> only some lite discussion for web containers.
> Thanks in advance!
> -Keith
> -- 
> View this message in context:
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message