Announcement Announcement Module
Collapse
No announcement yet.
what to do, to get EJBContext.getCallerPrincipal() work? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • what to do, to get EJBContext.getCallerPrincipal() work?

    Hi,

    Is it possible? what's the role of the JBossIntegrationFilter?

    Thanks

  • #2
    I haven't used the container adapters, but if you use the use the jboss login module that comes with the jboss adapter, then the principal supplied by Acegi will be used by the container security system and the container security should work normally.

    The filter http://acegisecurity.sourceforge.net...ionFilter.html

    is responsible for extracting the authentication token (as created by the above login module) from the container and making it available for the current request via the Acegi SecurityContext.

    Luke.

    Comment


    • #3
      getCallerPrincipal will only return you the user name.

      If you want to get a handle on the Authentication Object then it can be access via the Subject Object located in the JNDI tree.

      /dan

      Comment


      • #4
        Sorry for the late response, i was on a little vacation...not i'm back. Thanks both for your interest in this.

        Dan, did you managed to do this? i keep receiving this "Authentication exception, principal=null", i guess i've declared all the necesary Acegi Filters, here is a sample of my web.xml file:
        Code:
        <filter>
                <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
                <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
                <init-param>
                    <param-name>targetClass</param-name>
                    <param-value>net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value>
                </init-param>
            </filter>        
            
            <filter>
                <filter-name>Acegi Security System for Spring Context Holder Aware Filter</filter-name>
                <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
                <init-param>
                    <param-name>targetClass</param-name>
                    <param-value>net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter</param-value>
                </init-param>
            </filter>      
            
            <filter>
                <filter-name>Acegi Security System for JBoss</filter-name>
                <filter-class>net.sf.acegisecurity.adapters.jboss.JbossIntegrationFilter</filter-class>        
            </filter>      
                 
            <filter>
        	    <filter-name>Acegi Authentication Processing Filter</filter-name>
        	    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        	    <init-param>
        	        <param-name>targetClass</param-name>
        	        <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
        	    </init-param>
        	</filter>   	                    
                
            <filter>
        	    <filter-name>Acegi HTTP Request Security Filter</filter-name>
        	    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        	    <init-param>
        	        <param-name>targetClass</param-name>
        	        <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
        	    </init-param>
        	</filter>
        And my spring descriptor xml content:

        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
        
        <beans>
        
        	<bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        	  	<property name="authenticationManager"><ref bean="authenticationManager"/></property>
        	  	<property name="authenticationFailureUrl"><value>/general/login.faces</value></property>
        	  	<property name="defaultTargetUrl"><value>/home/home.faces</value></property>
        	  	<property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
        	</bean>
        				
        	<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        	  	<property name="providers">
        	    	<list>
        	      		<ref bean="authByAdapterProvider"/>
        	    	</list>
        	  	</property>
        	</bean>
        	
        	<bean id="authByAdapterProvider" class="net.sf.acegisecurity.adapters.AuthByAdapterProvider">
        	  	<property name="key"><value>password</value></property>
        	</bean>		
        	
        	<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
        
        	<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
        	    <property name="allowIfAllAbstainDecisions">
        	        <value>false</value>
        	    </property>
        	    <property name="decisionVoters">
        	        <list>
        	           <ref local="roleVoter"/>
        	        </list>
        	    </property>
        	</bean>	
        	
        	<bean id="httpSessionIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
        		<property name="context">
        	        <value>net.sf.acegisecurity.context.security.SecureContextImpl</value>
        	    </property>
        	</bean>	
        	
        	<bean id="contextHolderAwareRequestFilter" class="net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter"/>
        	
        	<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
        	    <property name="filterSecurityInterceptor">
        	        <ref bean="filterInvocationInterceptor"/>
        	    </property>
        	    <property name="authenticationEntryPoint">
        	        <ref bean="authenticationEntryPoint"/>
        	    </property>
        	</bean>	
        	
        	<bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        	    <property name="loginFormUrl">
        	        <value>/general/login.faces</value>
        	    </property>
        	</bean>
        	
        	<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        	    <property name="authenticationManager">
        	        <ref bean="authenticationManager"/></property>
        	    <property name="accessDecisionManager">
        	        <ref bean="accessDecisionManager"/></property>
        	    <property name="objectDefinitionSource">
        	        <value>
        	            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        	            PATTERN_TYPE_APACHE_ANT
        	            /clientinfo/**=ROLE_ADMINISTRATIVE,ROLE_FINANCIAL,ROLE_RESULTS
        	            /offers/**=ROLE_ADMINISTRATIVE,ROLE_FINANCIAL,ROLE_RESULTS
        	            /probes/**=ROLE_ADMINISTRATIVE,ROLE_FINANCIAL,ROLE_RESULTS
        	            /request/**=ROLE_ADMINISTRATIVE,ROLE_FINANCIAL,ROLE_RESULTS
        	            /home/**=ROLE_ADMINISTRATIVE,ROLE_FINANCIAL,ROLE_RESULTS
        	        </value>
        	    </property>
        	</bean>			
        	
        </beans>
        Do you have any ideea about what can be wrong?

        Thanks a lot

        Comment


        • #5
          Have you installed the container-adapter in JBoss?

          Comment


          • #6
            How to do that?

            Comment


            • #7
              Read the section in the reference guide that explains it.

              You should preferrably be familiar with JBoss container security too.

              Comment


              • #8
                Ok, i understand now, i did that. Do you know if there is a way to verify this? any othere ideeas? do you have a working example? (descriptors).

                Thanks again

                Comment


                • #9
                  Maybe this will clear things a little more: i'm trying to perform authentication programmaticaly, using the following code:
                  Code:
                  Authentication usernamePasswordAuthentication = new PrincipalAcegiUserToken&#40;"password", username, password, new GrantedAuthority&#91;&#93;&#123;new GrantedAuthorityImpl&#40;"ROLE_ADMINISTRATIVE"&#41;&#125;&#41;;
                  
                          Authentication authentication = getAuthenticationManager&#40;&#41;.authenticate&#40;usernamePasswordAuthentication&#41;;
                          SecureContext context = &#40;SecureContext&#41;ContextHolder.getContext&#40;&#41;;
                          context.setAuthentication&#40;authentication&#41;;
                  I'm not sure if this is the right way, when using the JBoss container adapter.

                  After these lines i'm trying to get an instance of a secured Stateless Session Bean, and the following exception keeps appearing:
                  Code:
                  2005-06-27 14&#58;54&#58;56,700 ERROR &#91;org.jboss.ejb.plugins.LogInterceptor&#93; EJBException, causedBy&#58;
                  java.lang.SecurityException&#58; Authentication exception, principal=null
                  	at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation&#40;SecurityInterceptor.java&#58;164&#41;
                  	at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome&#40;SecurityInterceptor.java&#58;81&#41;
                  	at org.jboss.ejb.plugins.LogInterceptor.invokeHome&#40;LogInterceptor.java&#58;120&#41;
                  	at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome&#40;ProxyFactoryFinderInterceptor.java&#58;93&#41;
                  	at org.jboss.ejb.StatelessSessionContainer.internalInvokeHome&#40;StatelessSessionContainer.java&#58;319&#41;
                  	at org.jboss.ejb.Container.invoke&#40;Container.java&#58;720&#41;
                  	at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome&#40;BaseLocalProxyFactory.java&#58;293&#41;
                  	at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke&#40;LocalHomeProxy.java&#58;110&#41;
                  	at $Proxy32.create&#40;Unknown Source&#41;
                  	at sun.reflect.NativeMethodAccessorImpl.invoke0&#40;Native Method&#41;
                  	at sun.reflect.NativeMethodAccessorImpl.invoke&#40;NativeMethodAccessorImpl.java&#58;39&#41;
                  	at sun.reflect.DelegatingMethodAccessorImpl.invoke&#40;DelegatingMethodAccessorImpl.java&#58;25&#41;
                  	at java.lang.reflect.Method.invoke&#40;Method.java&#58;324&#41;
                  	at org.springframework.ejb.access.AbstractSlsbInvokerInterceptor.create&#40;AbstractSlsbInvokerInterceptor.java&#58;174&#41;
                  	at org.springframework.ejb.access.LocalSlsbInvokerInterceptor.newSessionBeanInstance&#40;LocalSlsbInvokerInterceptor.java&#58;132&#41;
                  	at org.springframework.ejb.access.LocalSlsbInvokerInterceptor.getSessionBeanInstance&#40;LocalSlsbInvokerInterceptor.java&#58;106&#41;
                  	at org.springframework.ejb.access.LocalSlsbInvokerInterceptor.invoke&#40;LocalSlsbInvokerInterceptor.java&#58;62&#41;
                  	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed&#40;ReflectiveMethodInvocation.java&#58;144&#41;
                  	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke&#40;JdkDynamicAopProxy.java&#58;174&#41;
                  	at $Proxy48.verifyPassword&#40;Unknown Source&#41;

                  Comment


                  • #10
                    JBoss doesn't know anything about the Acegi security classes - it has its own version of the ThreadLocal security context (SecurityAssociation). The exception you're seeing is because this hasn't been set.

                    The container adapter login module allows you to use Acegi security to setup JBoss security principals, roles etc, but you have to log in normally (using container security) for the login module to be called.

                    Do you know how to set up security for an application in JBoss? It would be a good idea to make sure you can get this working (e.g. with the simple properties file based security setup) before attempting to integrate Acegi as the container security provider.

                    Luke.

                    Comment


                    • #11
                      Thanks a lot Luke, for your time, i realy appreciate your interest and aswers.

                      It seems to work now, there was a problem with the ejbCreate method, i had to specify explicitely the roles that can create the EJB, no matter that everyone can actualy instantiate it. I saw this being an issue some time ago with JBoss...(i use JBoss 3.2.3)

                      Code:
                      /**
                           * @throws CreateException 
                           * 
                           * @ejb.permission role-name = "ROLE_ADMINISTRATIVE,ROLE_FINANCIAL,ROLE_RESULTS"
                           */
                          public void ejbCreate&#40;&#41; throws CreateException  
                          &#123;
                              super.ejbCreate&#40;&#41;;
                          &#125;
                      The problem now, i guess it's what you've been telling me. I get the following exception now, when i invoke getCallerPrincipal() in my EJB:
                      Code:
                      2005-06-27 17&#58;09&#58;32,591 ERROR &#91;org.jboss.ejb.plugins.LogInterceptor&#93; RuntimeException&#58;
                      java.lang.IllegalStateException&#58; No security context set
                      	at org.jboss.ejb.EnterpriseContext$EJBContextImpl.getCallerPrincipal&#40;EnterpriseContext.java&#58;276&#41;
                      	at ro.citrusmedia.lims.web.webclients.WebClientsFacadeEJB.verifyPassword&#40;WebClientsFacadeEJB.java&#58;80&#41;
                      	at sun.reflect.NativeMethodAccessorImpl.invoke0&#40;Native Method&#41;
                      	at sun.reflect.NativeMethodAccessorImpl.invoke&#40;NativeMethodAccessorImpl.java&#58;39&#41;
                      	at sun.reflect.DelegatingMethodAccessorImpl.invoke&#40;DelegatingMethodAccessorImpl.java&#58;25&#41;
                      	at java.lang.reflect.Method.invoke&#40;Method.java&#58;324&#41;
                      	at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke&#40;StatelessSessionContainer.java&#58;683&#41;
                      	at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke&#40;CachedConnectionInterceptor.java&#58;185&#41;
                      	at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke&#40;StatelessSessionInstanceInterceptor.java&#58;72&#41;
                      	at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext&#40;AbstractTxInterceptor.java&#58;84&#41;
                      	at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions&#40;TxInterceptorCMT.java&#58;267&#41;
                      	at org.jboss.ejb.plugins.TxInterceptorCMT.invoke&#40;TxInterceptorCMT.java&#58;128&#41;
                      	at org.jboss.ejb.plugins.SecurityInterceptor.invoke&#40;SecurityInterceptor.java&#58;118&#41;
                      	at org.jboss.ejb.plugins.LogInterceptor.invoke&#40;LogInterceptor.java&#58;191&#41;
                      	at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke&#40;ProxyFactoryFinderInterceptor.java&#58;122&#41;
                      	at org.jboss.ejb.StatelessSessionContainer.internalInvoke&#40;StatelessSessionContainer.java&#58;331&#41;
                      	at org.jboss.ejb.Container.invoke&#40;Container.java&#58;700&#41;
                      	at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke&#40;BaseLocalProxyFactory.java&#58;375&#41;
                      	at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke&#40;StatelessSessionProxy.java&#58;83&#41;
                      	at $Proxy39.verifyPassword&#40;Unknown Source&#41;
                      	at sun.reflect.NativeMethodAccessorImpl.invoke0&#40;Native Method&#41;
                      	at sun.reflect.NativeMethodAccessorImpl.invoke&#40;NativeMethodAccessorImpl.java&#58;39&#41;
                      	at sun.reflect.DelegatingMethodAccessorImpl.invoke&#40;DelegatingMethodAccessorImpl.java&#58;25&#41;
                      	at java.lang.reflect.Method.invoke&#40;Method.java&#58;324&#41;
                      	at org.springframework.ejb.access.LocalSlsbInvokerInterceptor.invoke&#40;LocalSlsbInvokerInterceptor.java&#58;71&#41;
                      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed&#40;ReflectiveMethodInvocation.java&#58;144&#41;
                      	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke&#40;JdkDynamicAopProxy.java&#58;174&#41;
                      	at $Proxy47.verifyPassword&#40;Unknown Source&#41;
                      Could you give a hint on what to do next?

                      Thanks,
                      Catalin

                      Comment


                      • #12
                        Sorry, i was wrong, this is because i did't specify the same security domain for both the web app which does the authentication, and the EJB layer. Now both have the same security domain, and i'm back to the initial exception: java.lang.SecurityException: Authentication exception, principal=null.

                        I have no ideea what do to next (for now), any hint?

                        Could you detail more on this, maybe with a code example?
                        Code:
                        but you have to log in normally &#40;using container security&#41; for the login module to be called.
                        Thanks

                        Comment


                        • #13
                          As I indicated above, this isn't really a question about Acegi. It's about establishing a secure context within JBoss and your first step should probably not include using Acegi at all.

                          You haven't given any indication why you are trying to use Acegi at this stage and you don't say why you're trying to log in programatically, rather than through the container. If you must do this and you want to subsequently call an EJB, then you should be using JBoss-specific code (in particular JBoss's SecurityAssociation class), rather than Acegi code.

                          Alternatively you could ditch the EJBs and replace them by Spring beans, or remove the container security constraints and access the EJBs through a Spring-secured facade. The situation you have at the moment is unduly complicated because of the Acegi/JBoss/EJB mix.

                          Comment

                          Working...
                          X