I've been crawling the web trying to find some info that could help me. This is my issue:
As per customer request, We have to implement a Rich client interface that uses/calls EJBs restricted methods.
I tried to find info about JAAS and ProgrammaticLogin with no success.
Some of the info I found, states that ProgrammaticLogin relays on the underlaying AppServer, therefore I lean towards using JAAS -- witch is not supported by all AppServer according to some reading. However, I planing to deploy on Sun's AppServer, GlassFish and JBoss all of them support JAAS (According to som info I Found).
My core desing is based on Eclipse Rich Client platform authenticating to a GlassFish/JBoss server to gain access to EJB3 restricted (By role) components. I would like to relay on the AppServer Security/Audith system to kepp my desing simple.
Perhaps, this a simpla and silly Q, but I could not find enought info in regards. Additionally, If any of you have any suggestion, I will be willing to try it.
Does your JAAS login module reside on the app server or you do authentication on client and then want to use the same subject for authorization in EJBs? The second one is tricky as the principals/credentials in Subject are not serializable and there are a lot of security issues in that. Saml specifications addresses this for webservices. First one can be done by using specific login modules provided by different application servers. This article provides this info for JBoss.
You can do a JAAS login from the client (a standalone java app or even a swing based client). See if this helps. The example there is a standalone java app accessing a secure ejb after doing a programatic JAAS login. Let us know if you need more details
Originally posted by Jaikiran Pai: You can do a JAAS login from the client (a standalone java app or even a swing based client). See if this helps. The example there is a standalone java app accessing a secure ejb after doing a programatic JAAS login. Let us know if you need more details
Hi Jaikiran, I have not tried on the JBoss server, but according to this article that i have referred in my earlier response, it seems like you have to create the EJB under a privileged action executed with the subject after the login. <Correct me if i am wrong> Moreover, the client login module is more of a misnomer as it does not actually authenticate. Its just an abstraction to hide how the credentials from the stand alone client can be passed to the server. The authentication actually happens on the server side. Also, it can be a bit misleading, because if the username/password are not correct, the ejb create will fail and not the login! Also, i am not sure as to how this client module maps to the actual login module at the server side? How do i tell that i want to authenticate against an LDAP, Database or something else </Correct me if i am wrong>
Joined: Nov 10, 2002
This is very interesting subject I will quote a friend that have the same issue I found crawling the web:
I have EJBs on my server that users of the account will be accessing through a stand-alone Swing application. The first time the software starts, it'll ask the user for an account ID and password (which I believe are represented by the security principal and credentials respectively). From then on, the software should access a stateless EJB using authentication information. I don't have any trouble accessing the stateless EJB, but the biggest part I'm confused about is how I communicate the security principal and password to the server. Where do I set properties in the stand-alone client code?
I feel extremely lost and confused with the entire authentication concept of Java EE 5! Authorisation has lots of details written about it - using annotations or deployment descriptors to limit the execution of methods to certain roles. There's even pretty good documentation on how to add users to the system via the admin web interface. The only concept that I can't find a single article or example of is making use of it all!
In my mind, it's the simplest of concepts: Joe has an account ID and password. He only has access to one object on the server, which is referenced from the entity persistence database using his account ID. At the moment, it feels like I would have been better off writing this part of the system manually. Whatever happened to KISS?
Seems to me that using ProgrammaticLogin is easier since I do not have to implement a LogingModule and a CallBackHandler --I look at JAAS as an alternative whatsoever.
Originally posted by Nitesh Kant: Moreover, the client login module is more of a misnomer as it does not actually authenticate. Its just an abstraction to hide how the credentials from the stand alone client can be passed to the server.
Thats correct. The ClientLoginModule in JBoss is meant to just pass on the logon information to the server. The actual authentication does not actually happen in this login module.
However, this does not mean that the authentication cannot be done on the client side. LoginContext is nothing but a stack of login modules. If you want to have authentication done on the client side, you can include your own module (something like database login or ldap login module or something else) in this stack. The only restriction (or rather requirement in JBoss) to this is, you will also have to include the ClientLoginModule in this stack. This effectively means that you will have 2 login modules in this stack - one doing the authentication and the other passing the credentials (ClientLoginModule).
Originally posted by Nitesh Kant: How do i tell that i want to authenticate against an LDAP, Database or something else
Here's an example for LDAP authentication LdapLoginModule. The Database login module configuration will be similar, currently i dont have the link for the example (you can find a default example in the login-config.xml under %JBOSS_HOME%/server/default/conf folder).
Joined: Nov 10, 2002
Any help/thoughts/How to/Advice using ProgrammaticLogin from a Swing Client to a Glassfish server?