Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

J2EE Authentication

 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if I have a web-app that is attempting to access an EJB, but requires authentication, can I simply authenticate to the web-app, and the authentication is "transitive", or must I use JAAS ?
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes you can.
The web app can be use as a layer to protect your EJB tier. Once you are authenticated, the credentials can be use in the web app container, but in the EJB container too.
Please notice I've sais you can . This does not mean you should, depending on the security you want to implement.
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using WAS 5.0.1 and authenticating to a web application using FORM based authentication to a servlet (called it ServletX).
ServletX then attempts to access an EJB (call it EJBX) which is running under a remote JVM EJB container.
After authentication succeeds (to ServletX), the following message is generated as part of the exception, "Authorization failed for /UNAUTHENTICATED while invoking ...".
Why does ServletX attempt to authenticate to EJBX as an unauthenticated user ?
The role that the user authenticates to in ServletX is the same as the role that is required by EJBX.
Cheers.
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tony, this ought to work -- my fear is that somehow you're not really getting authenticated inside the servlet, and that the principal is thus not being passed on to the EJB call.
Can you do a System.out.println of the name of the security principal (using getUserPrincipal()) in the Servlet and verify that you really do have a principal attached?
Also, feel free to mail me your app's EAR file internally at Kyle Brown/Raleigh/IBM@IBMUS and I'll take a look at it.
Kyle
(Not only your friendly neighborhood bartender, but also an STSM in IBM Software Services for WebSphere)
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Kyle Brown:
Kyle
(Not only your friendly neighborhood bartender, but also an STSM in IBM Software Services for WebSphere)

STSM ?? what is it
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jean-Louis Marechaux:
STSM?
Senior Technical Staff Member
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Lasse Koskela:
Senior Technical Staff Member

Ah !!
I thought it was Short-Term Scientific Mission ...
It was puzzling me
Ok Jean-Louis, stop kidding and go back to work now ...
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kyle,
Thanks for the offer of help. I'm going to continue working on it today (as I still don't believe I have exhausted ALL possibilities). If am stuck, I make take you up on your offer, cheers.
out.println(request.isUserInRole("THE_ROLE") + "<br>");
true
out.println(request.getUserPrincipal() + "<br>");
Administrator
out.println(request.getAuthType() + "<br>");
FORM
out.println(request.getRemoteUser() + "<br>");
Administrator
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kyle,
In WebSphere, do you have to specify a "RunAs" for your servlet in order to be able to send the principal to the ejb container ??
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Currently, I have no <run-as> declaration in web.xml.
I'll mess with it a bit and see if I can make a difference.
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jean-Louis Marechaux:
Kyle,
In WebSphere, do you have to specify a "RunAs" for your servlet in order to be able to send the principal to the ejb container ??


No. Run-As is only used when you want to redefine the principal that something runs other to be a predefined principal other than the current user.
Kyle
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tony,
Did you remember to link the roles in the web.xml and the ejb-jar.xml together in the application.xml? That might be the reason that this isn't working...
Kyle
 
Rufus BugleWeed
Ranch Hand
Posts: 1551
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am confused.
In application.xml we have
<!ELEMENT application (icon?, display-name, description?, module+,
security-role*)>
Are you saying the administrator role would have to be declared above for the administrator Principal to propogate from the web container to the ejb container?
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, that's exactly what I'm saying. If you are using WSAD 5.0 you can use the "Gather Roles" button to do this. The Administrator security role must be declared there to propogate down. The roles have to be defined in the application.xml file to make this work -- it's THOSE roles that are mapped to users.
Kyle
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
application.xml contains
<security-role id="SecurityRole_1070256907189">
<description>The description</description>
<role-name>THE_ROLE</role-name>
</security-role>
do I need more ?
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don'T think you need more Tony.
But "THE_ROLE" must be the one defined as the auth-constraint of your servlet AND the one in the seurity-role of your ejb

BTW Tony, you've sais in a previous post your ejb is in a remote container.
Could you have the opportunity to test your security with an application deployed onto a local container ?
[ December 03, 2003: Message edited by: Jean-Louis Marechaux ]
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeez. Good point, Jean-Louis! I totally missed the part about the remote EJB container. This raises a whole host of questions -- like are the EJB and the Web Application part of the same EAR or not? What version of WebSphere are you running (Standalone or ND)? Is Security turned on at all on the remote Application Server?
I'm with Jean-Louis -- try it locally first and then try it remotely.
Kyle
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, I should have made it clearer.
My web application is in x.ear while the EJBs are in y.ear.
I haven't tried to "integrate" my application with y.ear since that application is relatively complex and is very prone to error.
Using WebSphere 5.0.1.
Does this pose a problem ?
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, actually I need to know what type of WebSphere application server you are running -- ND or single-server -- on the remote server, and also if Security has been turned on on that server.
Kyle
 
Tony Morris
Ranch Hand
Posts: 1608
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can't be sure of the exact version of WAS that I'm using (due to incompetence of discovering such information).
Following is the Description given when "About" is selected in the WAS Administration Console of the two machines:
On the web application machine:
-------------------------------
IBM WebSphere Application Server, 5.0.1
Build Number: ptf1M0314.04
Build Date: 04/08/2003
---------------------------------------
(c) Copyright IBM Corporation 1996, 2003.
On the EJB machine:
-------------------
IBM WebSphere Application Server, 5.0.2
Build Number: ptf2M0325.01
Build Date: 06/23/2003
---------------------------------------
IBM WebSphere Application Server Enterprise, 5.0.2
Build Number: ptf20327.03
Build Date: 07/10/2003
---------------------------------------
(c) Copyright IBM Corporation 1996, 2003.

Thanks in advance.
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK, I see that your remote application server is running WAS EE, so therefore the security setup is done through WAS ND.
Let me try to explain what I think is going on. Your WSAD Server is kind of an island. The problem is the WAS ND server doesn't know about it -- there's been no trust relationship set up between it because that server is not part of the same cell as the remote server.
So what happens is that there is a security credential set up on the RMI-IIOP connection, but the remote server can't verify it. Basically he's rejecting it because he doesn't know if he can trust the server that originated it.
You have two options for testing your application.
(1) Take the EAR file from the Remote application and deploy it on WSAD, even just as Binaries and start it within WSAD. Once both applications are running within the same standalone server they will understand each others credentials.
(2) Abandon running your application in WSAD and deploy it to the remote server, or another server within that same WAS ND cell. You can do remote debugging of the remote server to debug the application, BTW.
Kyle
 
Rufus BugleWeed
Ranch Hand
Posts: 1551
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
originally posted by Kyle Brown
Yes, that's exactly what I'm saying. If you are using WSAD 5.0 you can use the "Gather Roles" button to do this.

Ok, is it possible with AAT?
I suppose the other option is
1) ear expander -expand
2) hand edit
3) ear expander -collapse
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic