geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Login Contexts NOT working
Date Sat, 05 Sep 2009 16:55:09 GMT

On Sep 5, 2009, at 8:40 AM, Quintin Beukes wrote:

> My oh my this week has given me headaches. I went through hundreds  
> of lines of code for both geronimo and OpenEJB, and I can't seem to  
> figure out why this isn't working. From what I've found on the  
> internet it should work (unless I'm missing something).
>
> OK. So I have this EJB:
>
> @Stateless
> @DeclareRoles( { "Admin" })
> @RolesAllowed( { "Admin" })
> public class TestBean implements TestRemote, TestLocal
> {
>   @Resource
>   private SessionContext sessionCtx;
>
>   public String getInfo()
>   {
>     Principal p = sessionCtx.getCallerPrincipal();
>     StringBuilder sb = new StringBuilder();
>     sb.append("\n").append("Principal: " + p.getName() + " - type: "  
> + p.getClass().getCanonicalName());
>     return sb.toString();
>   }
> }
>
> getInfo() is a Remote method.
>
> Then it's deploy plan contains:
>    <security doas-current-called="true" default-role="Admin">
>
>    </security>
>
> And I do a remote lookup as follows:
>
>     Properties p = new Properties();
>     p.put("java.naming.factory.initial",  
> "org.apache.openejb.client.RemoteInitialContextFactory");
>     p.put("java.naming.provider.url", "ejbd://localhost:4201");
>     // user and pass optional
>     p.put("openejb.authentication.realmName", "KMSRealm");
>     p.put("java.naming.security.principal", "quintin");
>     p.put("java.naming.security.credentials", "pass");
>
>     InitialContext ctx = new InitialContext(p);
>
>     TestRemote myBean = (TestRemote) ctx.lookup("TestBeanRemote");
>     String info = myBean.getInfo();
>
> When I run the code I get an: Exception in thread "main"  
> javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
>
> So, I remove the security definitions from the EJB and it's deploy  
> plan, the method executes, and the Principal it returns is  
> UnauthenticatedPrincipal.
>
> KMSRealm is a server wide SQLLoginModule realm defined in the  
> geronimo console. I know the login works, because changing the  
> InitialContext credentials causes the login to fail. So all this  
> works.
>
> I am basically trying to login via EJB, and then be able to do two  
> things (1) define authorizations on the EJBs/methods (2) Retrieve  
> the Subject/Principal. Both of these are very important.

You need to map the prinicpal from the login module to the roles in  
your app, in your <security> element.  Can you show what you have for  
this?


>
> I've also tried replacing my <security> element in the deploy plan  
> to this:
>    <security>
>       <default-subject>
>          <realm>KMSRealm</realm>
>          <id>quintin</id>
>       </default-subject>>
>    </security>

If you use something like this you also need to set up a credential  
store that will log into your realm to get the Subject you are trying  
to specify here.

>
> But then I get the following when deploying:
>     Error: Operation failed: start of kms/KMSPlatform-ejb/1.0/jar  
> failed
>
>             Unknown start exception
>
>             Configuration kms/KMSPlatform-ejb/1.0/jar failed to  
> start due to
>     the following reasons:
>
>       The service
>     EJBModule=kms/KMSPlatform-ejb/1.0/ 
> jar 
> ,J2EEApplication=null,j2eeType=StatelessSessionBean,name=PersonnelBean
>     did not start because
>     kms/KMSPlatform-ejb/1.0/jar?EJBModule=kms/KMSPlatform-ejb/1.0/ 
> jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager
>     did not start.
>
>       The service
>     EJBModule=kms/KMSPlatform-ejb/1.0/ 
> jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=TestBean
>     did not start because
>     kms/KMSPlatform-ejb/1.0/jar?EJBModule=kms/KMSPlatform-ejb/1.0/ 
> jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager
>     did not start.
>
>       The service
>     EJBModule=kms/KMSPlatform-ejb/1.0/ 
> jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager
>     did not start because Unknown realm: KMSRealm
>
> I am up to my head in frustration. I gave Geronimo a try on a redev  
> of a project, but what took me about half a day to setup on  
> Glassfish has now taken me a week. Can anyone please help me out,  
> because I really want to have Geronimo's benefits in my applications.

i have to run now, if these hints don't get you farther let us know  
and I'll try to be more detailed.  I think there is some documentation  
at least in the 2.2 docs for both of these.  If they are hard to find  
and you can think of better ways to get to them please let us know.

thanks
david jencks

> -- 
> Quintin Beukes


Mime
View raw message