I have the following situation (I try to simplify it):
1. I have a standalone Apache Tomcat server (5.5.26), on which is
running a web application:
- A Welcome jsp page (Welcome.jsp) and 2 Servlets: CalculatorServlet
and MyProtectedServlet
- The CalculatorSevlet servlet has to access remotly a stateless
session bean on a JBoss application server:
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY,"
org.jnp.interfaces.NamingContextFactory");
env.put(Context.URL_PKG_PREFIXES, "org.jnp.interfaces");
env.put(Context.PROVIDER_URL, "localhost:1099");
Context c = new InitialContext(env);
MyCalculatorRemote calculator = c.lookup
("MyCalculatorBean/remote");
int result = calculator.sum(a, b);
1. I have a standalone JBoss server (version 4.2.2), on which is
running an EJB3 application
- A Stateless session bean (MyCalculatorBean), which exposes a sum(nt
a, int b) method through the remote interface:
@Stateless
@SecurityDomain("MyRealm")
public class MyCalculatorBean implements MyCalculatorRemote {
@RolesAllowed("math")
public Integer sum(int a, int b) {
return a + b;
}
}
- The Session bean is defined under the jboss security domain called
"MyRealm", which is defined in the jboss login-config.xml and in fact
uses a MySql database for authentication and authorization:
<application-policy name = "MyRealm">
<authentication>
<login-module code = "
org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "debug">true</module-option>
<module-option name =
"dsJndiName">java:/MysqlDS</module-option>
<module-option name = "principalsQuery">SELECT
PASSWORD FROM USERS WHERE EMAIL=?</module-option>
<module-option name = "rolesQuery">SELECT ROLE,
'Roles' FROM ROLES WHERE EMAIL=?</module-option>
</login-module>
</authentication>
</application-policy>
- The method sum(int a, int b) of the Session bean can be called only
by authenticated users with "math" role:
@RolesAllowed("math")
public Integer sum(int a, int b) {
return a + b;
}
Since the Session bean is secured with jboss security mechanism, which is
based on JAAS, to access the bean I have to setup JAAS authentication on the
web application (Single sign on authentication):
- I defined a JAASRealm in the Tomcat server.xml
<Context path="/MyWebApplication" docBase="/MyWebApplication">
<Resource name="jdbc/MyDB" auth="Container" type="
javax.sql.DataSource"
maxActive="100" maxIdle="30" maxWait="10000"
username="root" password="admin" driverClassName="
org.gjt.mm.mysql.Driver"
url="jdbc:mysql://localhost/mydb?autoReconnect=true"/>
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="MyRealm"
userClassNames="org.jboss.security.SimplePrincipal"
roleClassNames="org.jboss.security.SimpleGroup"
debug="99"/>
</Context>
- I defined a login.config file to be used by the JAASRealm; the file
defines the login module to be used for jaas authentication and I define to
use the JBoss DatabaseServerLoginModule (I imported the jboss security
library into the tomcat common/lib folder):
MyRealm{
org.jboss.security.auth.spi.DatabaseServerLoginModulesufficient
debug="true"
dsJndiName="java:comp/env/jdbc/MyDB"
principalsQuery="select password from users where
email=?"
rolesQuery="select role, 'Roles' from roles where
email=?";
};
- I set up Tomcat to specify the location of the login.config file,
changing the catalina.bat script:
set JAVA_OPTS=%JAVA_OPTS% -
Djava.security.auth.login.config==%CATALINA_HOME%/conf/login.config
- I set up the web.xml of my web application to define the login
configuration and the security constrains like follows:
<security-constraint>
<display-name>Constraint</display-name>
<web-resource-collection>
<web-resource-name>Proteced Servlet</web-resource-name>
<description/>
<url-pattern>/MyProtectedServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Auth</description>
<role-name>math</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Math role</description>
<role-name>math</role-name>
</security-role>
- I defined finally the login.jsp page as required for jaas
authentication:
<html>
<head>
<title>Login Page</title>
<form action='j_security_check' name="loginForm" method="POST">
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"
id="username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"
id="password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</html>
Now, the flow is the following one:
- I acces the web application root (http:\\localhost:8081\MyWebApplicaiton)
through the web browser and it displays the Welcom page (Welcome.jsp)
- I click on a link on the Welcome page to the MyProtectedServlet
- Since the MyProtectedServlet is a protected resource I'm redirected
to the login page
- I enter my credentials in the login page form and submit
- the browser displays the MyProtectedServlet which has a link to the
MyServlet servelt
- Clicking on the link, I'm redirect to MyServlet, which calls the
remote session bean (passing automatically the Principal of the logged in
user, which is supposed to be stored in the HttpServletRequest) and the
result of the call is displayed on the page
Unfortunatelly I have to following issue trying to accomplish this process:
- When submitting my credentials through the login page, I'm
authenticated correctly (I'm not rediredted to the error.jsp page) and
redirect to MyProtectedServlet. Then I tried to access the MyServlet servlet
after the authentication (i.e. firstly I try to access the
MyProtectedServlet, than I get the login page, than I submit the
credentials, than I'm redirect to MyProtectedServlet and finally I access
the MyServlet servlet ). Doing some debugging I discovered that just before
calling the remote session bean method, the principal of the logged in user
is stored in the HTTPServletRequest (request.getUserPrincipal). But
when it performes the remote call I get an EJBAccessException saying "No
matching username found in principals" and I discovered the reason of this
problem is that on JBoss side the Principal name (username) is null. This
means that the Principal is not propagated to JBoss context through the
request
Has anyone of you any idea of why I have this problems and how to solve them
because I'm really blocked. Thank you in advice for any suggestion
