From user-return-13867-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Sat Sep 05 17:11:42 2009 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 21260 invoked from network); 5 Sep 2009 17:11:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 5 Sep 2009 17:11:42 -0000 Received: (qmail 23291 invoked by uid 500); 5 Sep 2009 17:11:42 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 23226 invoked by uid 500); 5 Sep 2009 17:11:41 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 23218 invoked by uid 99); 5 Sep 2009 17:11:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Sep 2009 17:11:41 +0000 X-ASF-Spam-Status: No, hits=3.4 required=10.0 tests=HTML_MESSAGE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.210.185] (HELO mail-yx0-f185.google.com) (209.85.210.185) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Sep 2009 17:11:33 +0000 Received: by yxe15 with SMTP id 15so1741497yxe.27 for ; Sat, 05 Sep 2009 10:11:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.101.209.23 with SMTP id l23mr8425454anq.173.1252170670907; Sat, 05 Sep 2009 10:11:10 -0700 (PDT) In-Reply-To: References: <1f3854d50909050840m54afaa5fgd78cb03721150d19@mail.gmail.com> Date: Sat, 5 Sep 2009 19:11:10 +0200 Message-ID: <1f3854d50909051011j4fd96dcaq17c3e5abc3acbfab@mail.gmail.com> Subject: Re: Login Contexts NOT working From: Quintin Beukes To: user@geronimo.apache.org Content-Type: multipart/alternative; boundary=0016e6d3cf1409a2600472d7b460 X-Virus-Checked: Checked by ClamAV on apache.org --0016e6d3cf1409a2600472d7b460 Content-Type: text/plain; charset=ISO-8859-1 Hey David, Thanks for the response. The community for Geronimo seems very small, so it's quite a lonely struggle. Either way. I finally got it right about 5 minutes ago, but yet again have another problem. This isn't so much as a problem as it is an unreachable feature. Assume I get the IC as follows: Properties p = new Properties(); p.put("java.naming.factory.initial", "org.apache.openejb.client.RemoteInitialContextFactory"); p.put("java.naming.provider.url", "ejbd://localhost:4201"); // user and pass optional p.put("openejb.authentication.realmName", "KMSRealm"); p.put("java.naming.security.principal", "quintin"); p.put("java.naming.security.credentials", "pass"); InitialContext ctx = new InitialContext(p); I am able to login and have the method authorizations work as intended for different users. The problem is that I use JAAS for the login and would like to use my own LoginModule. Is there anyway to have the above method use JAAS authentication with my own LoginModule? Re. documentation, they are quite hard to find. They document the features but it's not always clear that a given document is what you're looking for. I sometimes read something and realize that a certain part of it might help me. I am, however, documenting my struggles on my blog, so hopefully people with similar problems can find an exact explanation on solving it. Further I also usually keep wikis for projects I use up to date, and submit patches for things I change. So whenever I get all these things working and back on track I will be contributing to the project, whether in issues/features requests being reported, documentation/source patch submissions or wiki updates. Q On Sat, Sep 5, 2009 at 6:55 PM, David Jencks wrote: > > On Sep 5, 2009, at 8:40 AM, Quintin Beukes wrote: > > My oh my this week has given me headaches. I went through hundreds of >> lines of code for both geronimo and OpenEJB, and I can't seem to figure out >> why this isn't working. From what I've found on the internet it should work >> (unless I'm missing something). >> >> OK. So I have this EJB: >> >> @Stateless >> @DeclareRoles( { "Admin" }) >> @RolesAllowed( { "Admin" }) >> public class TestBean implements TestRemote, TestLocal >> { >> @Resource >> private SessionContext sessionCtx; >> >> public String getInfo() >> { >> Principal p = sessionCtx.getCallerPrincipal(); >> StringBuilder sb = new StringBuilder(); >> sb.append("\n").append("Principal: " + p.getName() + " - type: " + >> p.getClass().getCanonicalName()); >> return sb.toString(); >> } >> } >> >> getInfo() is a Remote method. >> >> Then it's deploy plan contains: >> >> >> >> >> And I do a remote lookup as follows: >> >> Properties p = new Properties(); >> p.put("java.naming.factory.initial", >> "org.apache.openejb.client.RemoteInitialContextFactory"); >> p.put("java.naming.provider.url", "ejbd://localhost:4201"); >> // user and pass optional >> p.put("openejb.authentication.realmName", "KMSRealm"); >> p.put("java.naming.security.principal", "quintin"); >> p.put("java.naming.security.credentials", "pass"); >> >> InitialContext ctx = new InitialContext(p); >> >> TestRemote myBean = (TestRemote) ctx.lookup("TestBeanRemote"); >> String info = myBean.getInfo(); >> >> When I run the code I get an: Exception in thread "main" >> javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied >> >> So, I remove the security definitions from the EJB and it's deploy plan, >> the method executes, and the Principal it returns is >> UnauthenticatedPrincipal. >> >> KMSRealm is a server wide SQLLoginModule realm defined in the geronimo >> console. I know the login works, because changing the InitialContext >> credentials causes the login to fail. So all this works. >> >> I am basically trying to login via EJB, and then be able to do two things >> (1) define authorizations on the EJBs/methods (2) Retrieve the >> Subject/Principal. Both of these are very important. >> > > You need to map the prinicpal from the login module to the roles in your > app, in your element. Can you show what you have for this? > > > >> I've also tried replacing my element in the deploy plan to >> this: >> >> >> KMSRealm >> quintin >> > >> >> > > If you use something like this you also need to set up a credential store > that will log into your realm to get the Subject you are trying to specify > here. > > >> But then I get the following when deploying: >> Error: Operation failed: start of kms/KMSPlatform-ejb/1.0/jar failed >> >> Unknown start exception >> >> Configuration kms/KMSPlatform-ejb/1.0/jar failed to start due >> to >> the following reasons: >> >> The service >> >> EJBModule=kms/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=PersonnelBean >> did not start because >> >> kms/KMSPlatform-ejb/1.0/jar?EJBModule=kms/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager >> did not start. >> >> The service >> >> EJBModule=kms/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=TestBean >> did not start because >> >> kms/KMSPlatform-ejb/1.0/jar?EJBModule=kms/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager >> did not start. >> >> The service >> >> EJBModule=kms/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=JACCManager,name=JACCManager >> did not start because Unknown realm: KMSRealm >> >> I am up to my head in frustration. I gave Geronimo a try on a redev of a >> project, but what took me about half a day to setup on Glassfish has now >> taken me a week. Can anyone please help me out, because I really want to >> have Geronimo's benefits in my applications. >> > > i have to run now, if these hints don't get you farther let us know and > I'll try to be more detailed. I think there is some documentation at least > in the 2.2 docs for both of these. If they are hard to find and you can > think of better ways to get to them please let us know. > > thanks > david jencks > > -- >> Quintin Beukes >> > > -- Quintin Beukes --0016e6d3cf1409a2600472d7b460 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hey David,

Thanks for the response. The community for Geronimo seems= very small, so it's quite a lonely struggle.

Either way. I fina= lly got it right about 5 minutes ago, but yet again have another problem. T= his isn't so much as a problem as it is an unreachable feature.

Assume I get the IC as follows:

=A0=A0=A0 Properties p =3D new P= roperties();
=A0=A0=A0 p.put("java.naming.factory.initial", &q= uot;org.apache.openejb.client.RemoteInitialContextFactory");
=A0=A0= =A0 p.put("java.naming.provider.url", "ejbd://localhost:4201= ");
=A0=A0=A0 // user and pass optional
=A0=A0=A0 p.put("openejb.authen= tication.realmName", "KMSRealm");
=A0=A0=A0 p.put("j= ava.naming.security.principal", "quintin");
=A0=A0=A0 p.p= ut("java.naming.security.credentials", "pass");

=A0=A0=A0 InitialContext ctx =3D new InitialContext(p);

I am abl= e to login and have the method authorizations work as intended for differen= t users. The problem is that I use JAAS for the login and would like to use= my own LoginModule. Is there anyway to have the above method use JAAS auth= entication with my own LoginModule?

Re. documentation, they are quite hard to find. They document the featu= res but it's not always clear that a given document is what you're = looking for. I sometimes read something and realize that a certain part of = it might help me. I am, however, documenting my struggles on my blog, so ho= pefully people with similar problems can find an exact explanation on solvi= ng it.

Further I also usually keep wikis for projects I use up to date, and su= bmit patches for things I change. So whenever I get all these things workin= g and back on track I will be contributing to the project, whether in issue= s/features requests being reported, documentation/source patch submissions = or wiki updates.

Q

On Sat, Sep 5, 2009 at 6:55 PM, Dav= id Jencks <d= avid_jencks@yahoo.com> wrote:

On Sep 5, 2009, at 8:40 AM, Quintin Beukes wrote:

My oh my this week has given me headaches. I went through hundreds of lines= of code for both geronimo and OpenEJB, and I can't seem to figure out = why this isn't working. From what I've found on the internet it sho= uld work (unless I'm missing something).

OK. So I have this EJB:

@Stateless
@DeclareRoles( { "Admin" })
@RolesAllowed( { "Admin" })
public class TestBean implements TestRemote, TestLocal
{
=A0@Resource
=A0private SessionContext sessionCtx;

=A0public String getInfo()
=A0{
=A0 =A0Principal p =3D sessionCtx.getCallerPrincipal();
=A0 =A0StringBuilder sb =3D new StringBuilder();
=A0 =A0sb.append("\n").append("Principal: " + p.getNam= e() + " - type: " + p.getClass().getCanonicalName());
=A0 =A0return sb.toString();
=A0}
}

getInfo() is a Remote method.

Then it's deploy plan contains:
=A0 <security doas-current-called=3D"true" default-role=3D&qu= ot;Admin">

=A0 </security>

And I do a remote lookup as follows:

=A0 =A0Properties p =3D new Properties();
=A0 =A0p.put("java.naming.factory.initial", "org.apache.ope= nejb.client.RemoteInitialContextFactory");
=A0 =A0p.put("java.naming.provider.url", "ejbd://localhost:= 4201");
=A0 =A0// user and pass optional
=A0 =A0p.put("openejb.authentication.realmName", "KMSRealm&= quot;);
=A0 =A0p.put("java.naming.security.principal", "quintin&quo= t;);
=A0 =A0p.put("java.naming.security.credentials", "pass"= ;);

=A0 =A0InitialContext ctx =3D new InitialContext(p);

=A0 =A0TestRemote myBean =3D (TestRemote) ctx.lookup("TestBeanRemote&= quot;);
=A0 =A0String info =3D myBean.getInfo();

When I run the code I get an: Exception in thread "main" javax.ej= b.EJBAccessException: Unauthorized Access by Principal Denied

So, I remove the security definitions from the EJB and it's deploy plan= , the method executes, and the Principal it returns is UnauthenticatedPrinc= ipal.

KMSRealm is a server wide SQLLoginModule realm defined in the geronimo cons= ole. I know the login works, because changing the InitialContext credential= s causes the login to fail. So all this works.

I am basically trying to login via EJB, and then be able to do two things (= 1) define authorizations on the EJBs/methods (2) Retrieve the Subject/Princ= ipal. Both of these are very important.

You need to map the prinicpal from the login module to the roles in your ap= p, in your <security> element. =A0Can you show what you have for this= ?




I've also tried replacing my <security> element in the deploy pla= n to this:
=A0 <security>
=A0 =A0 =A0<default-subject>
=A0 =A0 =A0 =A0 <realm>KMSRealm</realm>
=A0 =A0 =A0 =A0 <id>quintin</id>
=A0 =A0 =A0</default-subject>>
=A0 </security>

If you use something like this you also need to set up a credential store t= hat will log into your realm to get the Subject you are trying to specify h= ere.



But then I get the following when deploying:
=A0 =A0Error: Operation failed: start of kms/KMSPlatform-ejb/1.0/jar faile= d

=A0 =A0 =A0 =A0 =A0 =A0Unknown start exception

=A0 =A0 =A0 =A0 =A0 =A0Configuration kms/KMSPlatform-ejb/1.0/jar failed to= start due to
=A0 =A0the following reasons:

=A0 =A0 =A0The service
=A0 =A0EJBModule=3Dkms/KMSPlatform-ejb/1.0/jar,J2EEApplication=3Dnull,j2ee= Type=3DStatelessSessionBean,name=3DPersonnelBean
=A0 =A0did not start because
=A0 =A0kms/KMSPlatform-ejb/1.0/jar?EJBModule=3Dkms/KMSPlatform-ejb/1.0/jar= ,J2EEApplication=3Dnull,j2eeType=3DJACCManager,name=3DJACCManager
=A0 =A0did not start.

=A0 =A0 =A0The service
=A0 =A0EJBModule=3Dkms/KMSPlatform-ejb/1.0/jar,J2EEApplication=3Dnull,j2ee= Type=3DStatelessSessionBean,name=3DTestBean
=A0 =A0did not start because
=A0 =A0kms/KMSPlatform-ejb/1.0/jar?EJBModule=3Dkms/KMSPlatform-ejb/1.0/jar= ,J2EEApplication=3Dnull,j2eeType=3DJACCManager,name=3DJACCManager
=A0 =A0did not start.

=A0 =A0 =A0The service
=A0 =A0EJBModule=3Dkms/KMSPlatform-ejb/1.0/jar,J2EEApplication=3Dnull,j2ee= Type=3DJACCManager,name=3DJACCManager
=A0 =A0did not start because Unknown realm: KMSRealm

I am up to my head in frustration. I gave Geronimo a try on a redev of a pr= oject, but what took me about half a day to setup on Glassfish has now take= n me a week. Can anyone please help me out, because I really want to have G= eronimo's benefits in my applications.

i have to run now, if these hints don't get you farther let us know and= I'll try to be more detailed. =A0I think there is some documentation a= t least in the 2.2 docs for both of these. =A0If they are hard to find and = you can think of better ways to get to them please let us know.

thanks
david jencks

--
Quintin Beukes




--
Quintin Beukes
--0016e6d3cf1409a2600472d7b460--