This is a discussion on How to use a custom JAAS application login module in EJB 2.1 - Websphere ; Hi, I built a custom JAAS login module, and added to my "Application Logins" following the introduction in "IBM WebSphere Application Server V6.1 Security Handbook". But I don't know how to use the "Alias" specified in "Application Logins" to secure ...
Hi, I built a custom JAAS login module, and added to my "Application Logins" following the introduction in "IBM WebSphere Application
Server V6.1 Security Handbook". But I don't know how to use the "Alias" specified in "Application Logins" to secure my EJB project.
If you have any idea about this, help me out, please!
karlory@msn.com wrote:
> Hi, I built a custom JAAS login module, and added to my "Application
> Logins" following the introduction in "IBM WebSphere Application
> Server V6.1 Security Handbook". But I don't know how to use the
> "Alias" specified in "Application Logins" to secure my EJB project.
> If you have any idea about this, help me out, please!
What are you actually trying to achieve ?
OK, Here is my situation:
1. I built a custom login module as below into my EAR including a very simple EJB with declarative security done by ejb-jar.xml.
package tutorial;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackEx ception;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import com.ibm.ws.security.common.auth.WSPrincipalImpl;
import com.ibm.wsspi.security.auth.callback.WSTokenHolder Callback;
public class WebsphereLoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private Map<String, ?> sharedState;
private Map<String, ?> options;
private boolean succeeded = false;
private String username;
private String password;
private Principal principal;
public boolean abort() throws LoginException {
return true;
}
public boolean commit() throws LoginException {
if(!succeeded) {
return false;
}
principal = new WSPrincipalImpl("authenticated");
if(!subject.getPrincipals().contains(p rincipal)) {
subject.getPrincipals().add(prin cipal);
}
return true;
}
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
System.out.println("======================= INITIALIZING MY LOGIN MODULE =========================");
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}
public boolean login() throws LoginException {
if(callbackHandler == null) {
throw new LoginException("Error: No CallbackHandler available");
}
Callback[] callbacks = new Callback[3];
callbacks[0] = new WSTokenHolderCallback("");
callbacks[1] = new NameCallback("user name: ");
callbacks[2] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks );
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throw new LoginException("Error" + e.getCallback().toString());
}
boolean requiresLogin = ((WSTokenHolderCallback) callbacks[0]).getRequiresLogin();
if(requiresLogin) {
username = ((NameCallback) callbacks[1]).getName();
password = new String(((PasswordCallback) callbacks[2]).getPassword());
((PasswordCallback) callbacks[2]).clearPassword();
System.out.println("======================= username: " + username);
System.out.println("======================= password: " + password);
succeeded = ("max".equals(username) && "secret".equals(password));
} else {
succeeded = true;
}
return succeeded;
}
public boolean logout() throws LoginException {
subject.getPrincipals().remove(princip al);
return true;
}
}
2. Added it to "Application Logins" fellows these steps like below.
You can add a new application JAAS login module configuration to the list.
Perform the following steps:
1. Under Application login configuration, click New.
2. Provide an alias name, for example: MyLoginModule.
3. Click Apply. Do not click OK yet, you are going to define the login module first
before you save the configuration.
4. Click JAAS login modules.
5. Click New in the new window.
6. Provide the fully qualified name (including package name) for your custom
LoginModule implementation in the Module class name field, for example:
com.ibm.itso.MyLoginModuleImpl
Select the Use login module proxy check box, to ensure the class visibility
for applications. For more information about the login module proxy, refer to
the WebSphere Information Center.
Select the authentication strategy, set as REQUIRED for now. The options
include: REQUIRED, REQUISITE, SUFFICIENT, and OPTIONAL. For more
information about the different strategies, refer to the WebSphere Information
Center.
7. Click OK.
8. Save the configuration for WebSphere.
3. Deploy to Websphere v6.1 using RAD 7, coded a thin client to test my EJB as below
package tutorial;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.AppConfigurationEntry.Lo ginModuleControlFlag;
import com.ibm.websphere.security.auth.callback.WSGUICall backHandlerImpl;
public class Main {
public static void main(String[] args) throws Exception {
final Map<String, String> cfg = new HashMap<String, String>();
cfg.put("delegate",
"com.ibm.ws.sec urity.common.auth.module.WSLoginModuleImpl");
Configuration configuration = new javax.security.auth.login.Configuration() {
private AppConfigurationEntry[] aces = { new AppConfigurationEntry(
&nb sp; "com.ibm.ws.security.common.auth.module.proxy.WSLog inModuleProxy",
&nb sp; LoginModuleControlFlag.REQUIRED, cfg) };
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return "WSLogin".equals(name) ? aces : null;
}
@Override
public void refresh() {
}
};
CallbackHandler loginHandler = new WSGUICallbackHandlerImpl();
Subject subject = new Subject();
LoginContext lc = new LoginContext("WSLogin", subject, loginHandler,
configuration);
lc.login();
// Subject subject = lc.getSubject();
final String s = "max";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTOR Y,
"com.ibm.websph ere.naming.WsnInitialContextFactory");
env.put(Context.PROVIDER_URL, "corbaloc:iiop:localhost:2809");
Context ctx = new InitialContext(env);
Object obj = ctx.lookup("ejb/tutorial/HelloHome");
HelloHome home = (HelloHome) PortableRemoteObject.narrow(obj,
HelloHome.class );
System.out.println(home.create().hello (s));
}
}
5. I got these error message as below, when run my client project
Feb 23, 2008 11:44:17 AM com.ibm.ws.util.ImplFactory
WARNING: WSVR0073W
Exception in thread "P=256375:O=0:CT" java.rmi.AccessException: CORBA NO_PERMISSION 0x0 No; nested exception is:
org.omg.CORBA.NO_PERMISSION:
>> SERVER (id=4773e3aa, host=maxop) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is:
com.ibm.websphere.csi.CSIAccessException : SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejb/tutorial/HelloHome create:2 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: jaasAdmin vmcid: 0x0 minor code: 0 completed: No
>> at com.ibm.ws.security.core.SecurityCollaborator.perf ormAuthorization(SecurityCollaborator.java:490)
>> at com.ibm.ws.security.core.EJSSecurityCollaborator.p reInvoke(EJSSecurityCollaborator.java:209)
>> at com.ibm.ejs.container.EJSContainer.preInvokeForSta telessSessionCreate(EJSContainer.java:3612)
>> at com.ibm.ejs.container.EJSContainer.preInvoke(EJSCo ntainer.java:2833)
>> at tutorial.EJSRemoteStatelessHelloHome_650957be.crea te(EJSRemoteStatelessHelloHome_650957be.java:90)
>> at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie .create(_EJSRemoteStatelessHelloHome_650957be_Tie. java:161)
>> at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie ._invoke(_EJSRemoteStatelessHelloHome_650957be_Tie .java:86)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHa ndler(ServerDelegate.java:613)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerD elegate.java:466)
>> at com.ibm.rmi.iiop.ORB.process(ORB.java:503)
>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1552)
>> at com.ibm.rmi.iiop.Connection.respondTo(Connection.j ava:2673)
>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java :2551)
>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl. java:62)
>> at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.ja va:95)
>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.j ava:1510)
>> SERVER (id=4773e3aa, host=maxop) TRACE END.
vmcid: 0x0 minor code: 0 completed: No
at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemExcep tion(UtilDelegateImpl.java:254)
at javax.rmi.CORBA.Util.mapSystemException(Util.java: 84)
at tutorial._HelloHome_Stub.create(_HelloHome_Stub.ja va:228)
at tutorial.Main.main(Main.java:50)
Caused by: org.omg.CORBA.NO_PERMISSION:
>> SERVER (id=4773e3aa, host=maxop) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is:
com.ibm.websphere.csi.CSIAccessException : SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejb/tutorial/HelloHome create:2 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: jaasAdmin vmcid: 0x0 minor code: 0 completed: No
>> at com.ibm.ws.security.core.SecurityCollaborator.perf ormAuthorization(SecurityCollaborator.java:490)
>> at com.ibm.ws.security.core.EJSSecurityCollaborator.p reInvoke(EJSSecurityCollaborator.java:209)
>> at com.ibm.ejs.container.EJSContainer.preInvokeForSta telessSessionCreate(EJSContainer.java:3612)
>> at com.ibm.ejs.container.EJSContainer.preInvoke(EJSCo ntainer.java:2833)
>> at tutorial.EJSRemoteStatelessHelloHome_650957be.crea te(EJSRemoteStatelessHelloHome_650957be.java:90)
>> at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie .create(_EJSRemoteStatelessHelloHome_650957be_Tie. java:161)
>> at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie ._invoke(_EJSRemoteStatelessHelloHome_650957be_Tie .java:86)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHa ndler(ServerDelegate.java:613)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerD elegate.java:466)
>> at com.ibm.rmi.iiop.ORB.process(ORB.java:503)
>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1552)
>> at com.ibm.rmi.iiop.Connection.respondTo(Connection.j ava:2673)
>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java :2551)
>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl. java:62)
>> at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.ja va:95)
>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.j ava:1510)
>> SERVER (id=4773e3aa, host=maxop) TRACE END.
vmcid: 0x0 minor code: 0 completed: No
at sun.reflect.NativeConstructorAccessorImpl.newInsta nce0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInsta nce(NativeConstructorAccessorImpl.java:67)
at sun.reflect.DelegatingConstructorAccessorImpl.newI nstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Construc tor.java:521)
at com.ibm.rmi.iiop.ReplyMessage._getSystemException( ReplyMessage.java:241)
at com.ibm.rmi.iiop.ReplyMessage.getSystemException(R eplyMessage.java:189)
at com.ibm.rmi.iiop.ClientResponseImpl.getSystemExcep tion(ClientResponseImpl.java:232)
at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDele gate.java:534)
at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDel egate.java:1150)
at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDele gate.java:756)
at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDel egate.java:1180)
at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectIm pl.java:484)
at tutorial._HelloHome_Stub.create(_HelloHome_Stub.ja va:215)
... 1 more
6. And none of "System.out.println" in my WebsphereLoginModule.java was executed.
So, my problem is how to make Websphere to call my WebsphereLoginModule instand of the default one when I try to call my EJB.
karlory@msn.com wrote:
> So, my problem is how to make Websphere to call my
> WebsphereLoginModule instand of the default one when I try to call my
> EJB.
Well, the code you listed was completely unreadable because the web site
screws everything up for NNTP users. But you have not explained why you
need a custom login module. What are you trying to do that WAS won't do
by default? What is your user registry?
Assuming that you even need one, why try to use an application config
rather than add your module to RMI_INBOUND ?
I suggest that you begin by reading this paper:
http://www.ibm.com/developerworks/we..._benantar.html
But you have not explained why you need a custom login module. What are you trying to do that WAS won't do by default? What is your user registry?
Because I need to implement a bunch of business logic in my login module. I use Oracle to store user information.
why try to use an application config rather than add your module to RMI_INBOUND ?
My login module only be useful to my enterprise application, and I don't want it to effect other applications.
There is something like "Security domain" in JBoss can achieve my purpose.
<jboss>
<security-domain>java:/jaas/JawJaasDbRealm</security-domain>
...
</jboss>
I don't know how to make it in Websphere.
I have the EXACT same question:
What is the WebSphere equivalent of thething in JBoss?
karlory - were you able to figure this out? Or got it working some other way? I would really appreciate a response, because I have hit a road-block and need help
