How to use a custom JAAS application login module in EJB 2.1 - Websphere

This is a discussion on How to use a custom JAAS application login module in EJB 2.1 - Websphere ; Hi, I built a custom JAAS login module, and added to my "Application Logins" following the introduction in "IBM WebSphere Application Server V6.1 Security Handbook". But I don't know how to use the "Alias" specified in "Application Logins" to secure ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: How to use a custom JAAS application login module in EJB 2.1

  1. How to use a custom JAAS application login module in EJB 2.1

    Hi, I built a custom JAAS login module, and added to my "Application Logins" following the introduction in "IBM WebSphere Application

    Server V6.1 Security Handbook". But I don't know how to use the "Alias" specified in "Application Logins" to secure my EJB project.



    If you have any idea about this, help me out, please!

  2. Re: How to use a custom JAAS application login module in EJB 2.1

    karlory@msn.com wrote:
    > Hi, I built a custom JAAS login module, and added to my "Application
    > Logins" following the introduction in "IBM WebSphere Application
    > Server V6.1 Security Handbook". But I don't know how to use the
    > "Alias" specified in "Application Logins" to secure my EJB project.
    > If you have any idea about this, help me out, please!



    What are you actually trying to achieve ?

  3. Re: How to use a custom JAAS application login module in EJB 2.1

    OK, Here is my situation:



    1. I built a custom login module as below into my EAR including a very simple EJB with declarative security done by ejb-jar.xml.



    package tutorial;



    import java.io.IOException;

    import java.security.Principal;

    import java.util.Map;



    import javax.security.auth.Subject;

    import javax.security.auth.callback.Callback;

    import javax.security.auth.callback.CallbackHandler;

    import javax.security.auth.callback.NameCallback;

    import javax.security.auth.callback.PasswordCallback;

    import javax.security.auth.callback.UnsupportedCallbackEx ception;

    import javax.security.auth.login.LoginException;

    import javax.security.auth.spi.LoginModule;



    import com.ibm.ws.security.common.auth.WSPrincipalImpl;

    import com.ibm.wsspi.security.auth.callback.WSTokenHolder Callback;



    public class WebsphereLoginModule implements LoginModule {

          private Subject subject;

          private CallbackHandler callbackHandler;

          private Map<String, ?> sharedState;

          private Map<String, ?> options;

          private boolean succeeded = false;

          private String username;

          private String password;

          private Principal principal;

          

          public boolean abort() throws LoginException {

                return true;

          }



          public boolean commit() throws LoginException {

                if(!succeeded) {

                      return false;

                }

                principal = new WSPrincipalImpl("authenticated");

                if(!subject.getPrincipals().contains(p rincipal)) {

                      subject.getPrincipals().add(prin cipal);

                }

                return true;

          }



          public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {

                System.out.println("======================= INITIALIZING MY LOGIN MODULE =========================");

                this.subject = subject;

                this.callbackHandler = callbackHandler;

                this.sharedState = sharedState;

                this.options = options;            

          }



          public boolean login() throws LoginException {

                if(callbackHandler == null) {

                      throw new LoginException("Error: No CallbackHandler available");

                }

                

                Callback[] callbacks = new Callback[3];

                callbacks[0] = new WSTokenHolderCallback("");

                callbacks[1] = new NameCallback("user name: ");

                callbacks[2] = new PasswordCallback("password: ", false);

                

                

                try {

                      callbackHandler.handle(callbacks );

                } catch (IOException e) {

                      throw new LoginException(e.toString());

                } catch (UnsupportedCallbackException e) {

                      throw new LoginException("Error" + e.getCallback().toString());

                }

                

                boolean requiresLogin = ((WSTokenHolderCallback) callbacks[0]).getRequiresLogin();

                if(requiresLogin) {

                      username = ((NameCallback) callbacks[1]).getName();

                      password = new String(((PasswordCallback) callbacks[2]).getPassword());

                      ((PasswordCallback) callbacks[2]).clearPassword();

                      System.out.println("======================= username: " + username);

                      System.out.println("======================= password: " + password);

                      succeeded = ("max".equals(username) && "secret".equals(password));

                } else {

                      succeeded = true;

                }

                

                return succeeded;

          }



          public boolean logout() throws LoginException {

                subject.getPrincipals().remove(princip al);

                return true;

          }



    }





    2. Added it to "Application Logins" fellows these steps like below.



    You can add a new application JAAS login module configuration to the list.

    Perform the following steps:

    1. Under Application login configuration, click New.

    2. Provide an alias name, for example: MyLoginModule.

    3. Click Apply. Do not click OK yet, you are going to define the login module first

    before you save the configuration.

    4. Click JAAS login modules.

    5. Click New in the new window.

    6. Provide the fully qualified name (including package name) for your custom

    LoginModule implementation in the Module class name field, for example:

    com.ibm.itso.MyLoginModuleImpl

    Select the Use login module proxy check box, to ensure the class visibility

    for applications. For more information about the login module proxy, refer to

    the WebSphere Information Center.

    Select the authentication strategy, set as REQUIRED for now. The options

    include: REQUIRED, REQUISITE, SUFFICIENT, and OPTIONAL. For more

    information about the different strategies, refer to the WebSphere Information

    Center.

    7. Click OK.

    8. Save the configuration for WebSphere.



    3. Deploy to Websphere v6.1 using RAD 7, coded a thin client to test my EJB as below



    package tutorial;



    import java.util.HashMap;

    import java.util.Hashtable;

    import java.util.Map;



    import javax.naming.Context;

    import javax.naming.InitialContext;

    import javax.rmi.PortableRemoteObject;

    import javax.security.auth.Subject;

    import javax.security.auth.callback.CallbackHandler;

    import javax.security.auth.login.AppConfigurationEntry;

    import javax.security.auth.login.Configuration;

    import javax.security.auth.login.LoginContext;

    import javax.security.auth.login.AppConfigurationEntry.Lo ginModuleControlFlag;



    import com.ibm.websphere.security.auth.callback.WSGUICall backHandlerImpl;



    public class Main {

          public static void main(String[] args) throws Exception {

                final Map<String, String> cfg = new HashMap<String, String>();

                cfg.put("delegate",

                            "com.ibm.ws.sec urity.common.auth.module.WSLoginModuleImpl");

                Configuration configuration = new javax.security.auth.login.Configuration() {

                      private AppConfigurationEntry[] aces = { new AppConfigurationEntry(

                              &nb sp;   "com.ibm.ws.security.common.auth.module.proxy.WSLog inModuleProxy",

                              &nb sp;   LoginModuleControlFlag.REQUIRED, cfg) };



                      @Override

                      public AppConfigurationEntry[] getAppConfigurationEntry(String name) {

                            return "WSLogin".equals(name) ? aces : null;

                      }



                      @Override

                      public void refresh() {

                      }

                };

                CallbackHandler loginHandler = new WSGUICallbackHandlerImpl();

                Subject subject = new Subject();

                LoginContext lc = new LoginContext("WSLogin", subject, loginHandler,

                            configuration);

                lc.login();

                // Subject subject = lc.getSubject();



                final String s = "max";

                Hashtable env = new Hashtable();

                env.put(Context.INITIAL_CONTEXT_FACTOR Y,

                            "com.ibm.websph ere.naming.WsnInitialContextFactory");

                env.put(Context.PROVIDER_URL, "corbaloc:iiop:localhost:2809");

                Context ctx = new InitialContext(env);

                Object obj = ctx.lookup("ejb/tutorial/HelloHome");

                HelloHome home = (HelloHome) PortableRemoteObject.narrow(obj,

                            HelloHome.class );

                System.out.println(home.create().hello (s));

          }

    }





    5. I got these error message as below, when run my client project



    Feb 23, 2008 11:44:17 AM com.ibm.ws.util.ImplFactory

    WARNING: WSVR0073W

    Exception in thread "P=256375:O=0:CT" java.rmi.AccessException: CORBA NO_PERMISSION 0x0 No; nested exception is:

          org.omg.CORBA.NO_PERMISSION:

          >> SERVER (id=4773e3aa, host=maxop) TRACE START:

          >> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is:

          com.ibm.websphere.csi.CSIAccessException : SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejb/tutorial/HelloHome create:2 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: jaasAdmin vmcid: 0x0 minor code: 0 completed: No

          >>       at com.ibm.ws.security.core.SecurityCollaborator.perf ormAuthorization(SecurityCollaborator.java:490)

          >>       at com.ibm.ws.security.core.EJSSecurityCollaborator.p reInvoke(EJSSecurityCollaborator.java:209)

          >>       at com.ibm.ejs.container.EJSContainer.preInvokeForSta telessSessionCreate(EJSContainer.java:3612)

          >>       at com.ibm.ejs.container.EJSContainer.preInvoke(EJSCo ntainer.java:2833)

          >>       at tutorial.EJSRemoteStatelessHelloHome_650957be.crea te(EJSRemoteStatelessHelloHome_650957be.java:90)

          >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie .create(_EJSRemoteStatelessHelloHome_650957be_Tie. java:161)

          >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie ._invoke(_EJSRemoteStatelessHelloHome_650957be_Tie .java:86)

          >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHa ndler(ServerDelegate.java:613)

          >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerD elegate.java:466)

          >>       at com.ibm.rmi.iiop.ORB.process(ORB.java:503)

          >>       at com.ibm.CORBA.iiop.ORB.process(ORB.java:1552)

          >>       at com.ibm.rmi.iiop.Connection.respondTo(Connection.j ava:2673)

          >>       at com.ibm.rmi.iiop.Connection.doWork(Connection.java :2551)

          >>       at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl. java:62)

          >>       at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.ja va:95)

          >>       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.j ava:1510)

          >> SERVER (id=4773e3aa, host=maxop) TRACE END.

    vmcid: 0x0 minor code: 0 completed: No

          at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemExcep tion(UtilDelegateImpl.java:254)

          at javax.rmi.CORBA.Util.mapSystemException(Util.java: 84)

          at tutorial._HelloHome_Stub.create(_HelloHome_Stub.ja va:228)

          at tutorial.Main.main(Main.java:50)

    Caused by: org.omg.CORBA.NO_PERMISSION:

          >> SERVER (id=4773e3aa, host=maxop) TRACE START:

          >> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is:

          com.ibm.websphere.csi.CSIAccessException : SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejb/tutorial/HelloHome create:2 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: jaasAdmin vmcid: 0x0 minor code: 0 completed: No

          >>       at com.ibm.ws.security.core.SecurityCollaborator.perf ormAuthorization(SecurityCollaborator.java:490)

          >>       at com.ibm.ws.security.core.EJSSecurityCollaborator.p reInvoke(EJSSecurityCollaborator.java:209)

          >>       at com.ibm.ejs.container.EJSContainer.preInvokeForSta telessSessionCreate(EJSContainer.java:3612)

          >>       at com.ibm.ejs.container.EJSContainer.preInvoke(EJSCo ntainer.java:2833)

          >>       at tutorial.EJSRemoteStatelessHelloHome_650957be.crea te(EJSRemoteStatelessHelloHome_650957be.java:90)

          >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie .create(_EJSRemoteStatelessHelloHome_650957be_Tie. java:161)

          >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie ._invoke(_EJSRemoteStatelessHelloHome_650957be_Tie .java:86)

          >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHa ndler(ServerDelegate.java:613)

          >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerD elegate.java:466)

          >>       at com.ibm.rmi.iiop.ORB.process(ORB.java:503)

          >>       at com.ibm.CORBA.iiop.ORB.process(ORB.java:1552)

          >>       at com.ibm.rmi.iiop.Connection.respondTo(Connection.j ava:2673)

          >>       at com.ibm.rmi.iiop.Connection.doWork(Connection.java :2551)

          >>       at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl. java:62)

          >>       at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.ja va:95)

          >>       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.j ava:1510)

          >> SERVER (id=4773e3aa, host=maxop) TRACE END.

    vmcid: 0x0 minor code: 0 completed: No

          at sun.reflect.NativeConstructorAccessorImpl.newInsta nce0(Native Method)

          at sun.reflect.NativeConstructorAccessorImpl.newInsta nce(NativeConstructorAccessorImpl.java:67)

          at sun.reflect.DelegatingConstructorAccessorImpl.newI nstance(DelegatingConstructorAccessorImpl.java:45)

          at java.lang.reflect.Constructor.newInstance(Construc tor.java:521)

          at com.ibm.rmi.iiop.ReplyMessage._getSystemException( ReplyMessage.java:241)

          at com.ibm.rmi.iiop.ReplyMessage.getSystemException(R eplyMessage.java:189)

          at com.ibm.rmi.iiop.ClientResponseImpl.getSystemExcep tion(ClientResponseImpl.java:232)

          at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDele gate.java:534)

          at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDel egate.java:1150)

          at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDele gate.java:756)

          at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDel egate.java:1180)

          at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectIm pl.java:484)

          at tutorial._HelloHome_Stub.create(_HelloHome_Stub.ja va:215)

          ... 1 more



    6. And none of "System.out.println" in my WebsphereLoginModule.java was executed.



    So, my problem is how to make Websphere to call my WebsphereLoginModule instand of the default one when I try to call my EJB.

  4. Re: How to use a custom JAAS application login module in EJB 2.1

    karlory@msn.com wrote:


    > So, my problem is how to make Websphere to call my
    > WebsphereLoginModule instand of the default one when I try to call my
    > EJB.



    Well, the code you listed was completely unreadable because the web site
    screws everything up for NNTP users. But you have not explained why you
    need a custom login module. What are you trying to do that WAS won't do
    by default? What is your user registry?

    Assuming that you even need one, why try to use an application config
    rather than add your module to RMI_INBOUND ?

    I suggest that you begin by reading this paper:

    http://www.ibm.com/developerworks/we..._benantar.html

  5. Re: How to use a custom JAAS application login module in EJB 2.1

    But you have not explained why you need a custom login module. What are you trying to do that WAS won't do by default? What is your user registry?



    Because I need to implement a bunch of business logic in my login module. I use Oracle to store user information.



    why try to use an application config rather than add your module to RMI_INBOUND ?



    My login module only be useful to my enterprise application, and I don't want it to effect other applications.

  6. Re: How to use a custom JAAS application login module in EJB 2.1

    There is something like "Security domain" in JBoss can achieve my purpose.

    <jboss>

       <security-domain>java:/jaas/JawJaasDbRealm</security-domain>

       ...

    </jboss>





    I don't know how to make it in Websphere.

  7. Re: How to use a custom JAAS application login module in EJB 2.1

    I have the EXACT same question:

    What is the WebSphere equivalent of the thing in JBoss?

    karlory - were you able to figure this out? Or got it working some other way? I would really appreciate a response, because I have hit a road-block and need help

+ Reply to Thread