Meaningless Drivel is fun!*
The moose likes EJB and other Java EE Technologies and the fly likes J2EE Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "J2EE Authentication" Watch "J2EE Authentication" New topic
Author

J2EE Authentication

Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
if I have a web-app that is attempting to access an EJB, but requires authentication, can I simply authenticate to the web-app, and the authentication is "transitive", or must I use JAAS ?


Tony Morris
Java Q&A (FAQ, Trivia)
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Yes you can.
The web app can be use as a layer to protect your EJB tier. Once you are authenticated, the credentials can be use in the web app container, but in the EJB container too.
Please notice I've sais you can . This does not mean you should, depending on the security you want to implement.


/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
I am using WAS 5.0.1 and authenticating to a web application using FORM based authentication to a servlet (called it ServletX).
ServletX then attempts to access an EJB (call it EJBX) which is running under a remote JVM EJB container.
After authentication succeeds (to ServletX), the following message is generated as part of the exception, "Authorization failed for /UNAUTHENTICATED while invoking ...".
Why does ServletX attempt to authenticate to EJBX as an unauthenticated user ?
The role that the user authenticates to in ServletX is the same as the role that is required by EJBX.
Cheers.
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Tony, this ought to work -- my fear is that somehow you're not really getting authenticated inside the servlet, and that the principal is thus not being passed on to the EJB call.
Can you do a System.out.println of the name of the security principal (using getUserPrincipal()) in the Servlet and verify that you really do have a principal attached?
Also, feel free to mail me your app's EAR file internally at Kyle Brown/Raleigh/IBM@IBMUS and I'll take a look at it.
Kyle
(Not only your friendly neighborhood bartender, but also an STSM in IBM Software Services for WebSphere)


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Originally posted by Kyle Brown:
Kyle
(Not only your friendly neighborhood bartender, but also an STSM in IBM Software Services for WebSphere)

STSM ?? what is it
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Originally posted by Jean-Louis Marechaux:
STSM?
Senior Technical Staff Member


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Originally posted by Lasse Koskela:
Senior Technical Staff Member

Ah !!
I thought it was Short-Term Scientific Mission ...
It was puzzling me
Ok Jean-Louis, stop kidding and go back to work now ...
Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
Kyle,
Thanks for the offer of help. I'm going to continue working on it today (as I still don't believe I have exhausted ALL possibilities). If am stuck, I make take you up on your offer, cheers.
out.println(request.isUserInRole("THE_ROLE") + "<br>");
true
out.println(request.getUserPrincipal() + "<br>");
Administrator
out.println(request.getAuthType() + "<br>");
FORM
out.println(request.getRemoteUser() + "<br>");
Administrator
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Kyle,
In WebSphere, do you have to specify a "RunAs" for your servlet in order to be able to send the principal to the ejb container ??
Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
Currently, I have no <run-as> declaration in web.xml.
I'll mess with it a bit and see if I can make a difference.
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Originally posted by Jean-Louis Marechaux:
Kyle,
In WebSphere, do you have to specify a "RunAs" for your servlet in order to be able to send the principal to the ejb container ??


No. Run-As is only used when you want to redefine the principal that something runs other to be a predefined principal other than the current user.
Kyle
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Tony,
Did you remember to link the roles in the web.xml and the ejb-jar.xml together in the application.xml? That might be the reason that this isn't working...
Kyle
Rufus BugleWeed
Ranch Hand

Joined: Feb 22, 2002
Posts: 1551
I am confused.
In application.xml we have
<!ELEMENT application (icon?, display-name, description?, module+,
security-role*)>
Are you saying the administrator role would have to be declared above for the administrator Principal to propogate from the web container to the ejb container?
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Yes, that's exactly what I'm saying. If you are using WSAD 5.0 you can use the "Gather Roles" button to do this. The Administrator security role must be declared there to propogate down. The roles have to be defined in the application.xml file to make this work -- it's THOSE roles that are mapped to users.
Kyle
Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
application.xml contains
<security-role id="SecurityRole_1070256907189">
<description>The description</description>
<role-name>THE_ROLE</role-name>
</security-role>
do I need more ?
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
I don'T think you need more Tony.
But "THE_ROLE" must be the one defined as the auth-constraint of your servlet AND the one in the seurity-role of your ejb

BTW Tony, you've sais in a previous post your ejb is in a remote container.
Could you have the opportunity to test your security with an application deployed onto a local container ?
[ December 03, 2003: Message edited by: Jean-Louis Marechaux ]
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Jeez. Good point, Jean-Louis! I totally missed the part about the remote EJB container. This raises a whole host of questions -- like are the EJB and the Web Application part of the same EAR or not? What version of WebSphere are you running (Standalone or ND)? Is Security turned on at all on the remote Application Server?
I'm with Jean-Louis -- try it locally first and then try it remotely.
Kyle
Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
Sorry, I should have made it clearer.
My web application is in x.ear while the EJBs are in y.ear.
I haven't tried to "integrate" my application with y.ear since that application is relatively complex and is very prone to error.
Using WebSphere 5.0.1.
Does this pose a problem ?
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Well, actually I need to know what type of WebSphere application server you are running -- ND or single-server -- on the remote server, and also if Security has been turned on on that server.
Kyle
Tony Morris
Ranch Hand

Joined: Sep 24, 2003
Posts: 1608
I can't be sure of the exact version of WAS that I'm using (due to incompetence of discovering such information).
Following is the Description given when "About" is selected in the WAS Administration Console of the two machines:
On the web application machine:
-------------------------------
IBM WebSphere Application Server, 5.0.1
Build Number: ptf1M0314.04
Build Date: 04/08/2003
---------------------------------------
(c) Copyright IBM Corporation 1996, 2003.
On the EJB machine:
-------------------
IBM WebSphere Application Server, 5.0.2
Build Number: ptf2M0325.01
Build Date: 06/23/2003
---------------------------------------
IBM WebSphere Application Server Enterprise, 5.0.2
Build Number: ptf20327.03
Build Date: 07/10/2003
---------------------------------------
(c) Copyright IBM Corporation 1996, 2003.

Thanks in advance.
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
OK, I see that your remote application server is running WAS EE, so therefore the security setup is done through WAS ND.
Let me try to explain what I think is going on. Your WSAD Server is kind of an island. The problem is the WAS ND server doesn't know about it -- there's been no trust relationship set up between it because that server is not part of the same cell as the remote server.
So what happens is that there is a security credential set up on the RMI-IIOP connection, but the remote server can't verify it. Basically he's rejecting it because he doesn't know if he can trust the server that originated it.
You have two options for testing your application.
(1) Take the EAR file from the Remote application and deploy it on WSAD, even just as Binaries and start it within WSAD. Once both applications are running within the same standalone server they will understand each others credentials.
(2) Abandon running your application in WSAD and deploy it to the remote server, or another server within that same WAS ND cell. You can do remote debugging of the remote server to debug the application, BTW.
Kyle
Rufus BugleWeed
Ranch Hand

Joined: Feb 22, 2002
Posts: 1551
originally posted by Kyle Brown
Yes, that's exactly what I'm saying. If you are using WSAD 5.0 you can use the "Gather Roles" button to do this.

Ok, is it possible with AAT?
I suppose the other option is
1) ear expander -expand
2) hand edit
3) ear expander -collapse
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: J2EE Authentication