JAAS With JBOSS: My How-To Tutorial

There are a few different steps to get JAAS Auth to work in JBoss:
LOGIN CODE
-------------------

//THE IMPORTS
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import java.security.Principal;
//LOGIN CODE
//Note: Login before you get initial context
try
{
SecurityAssociationHandler handler = new SecurityAssociationHandler();
//PRINCIPAL TO LOGIN WITH
/*
 * To make this work, you'll need to create a user with this name
 * in your security file or database or whatever you use. I use a database
 * to store them. For this example, we'll use user="Robert", password="Paris"
 * 
 * Note: I am creating a new Principal subclass here because Principal is
 * an abstract class.
 */
Principal userPrincipal = new Principal()
{
//THIS IS ALL YOU NEED TO IMPLEMENT
public String getName()
{
return "Robert";
}
};
//SET SECURITY ASSOCIATION HANDLER-SPECIFIC SETTINGS
//Syntax: setSecurityInfo( Principal <Principal>, char[] <password_or_credentials> );
handler.setSecurityinfo( userPrincipal, "Paris".toCharArray() );
//GET LOGIN CONTEXT (NOTE: EJBSecurityDomain is the name I gave it in descriptor)
LoginContext loginContext = new LoginContext( "EJBSecurityDomain", ( CallbackHandler ) handler );
//LOGIN
loginContext.login();
}
catch (Exception e)
{
e.printStackTrace();
}
//THEN DO ALL YOUR getInitialContext STUFF HERE
...

JBOSS EJB_DESCRIPTOR INFO
---------------------------------------------

JBOSS CONFIGURATIONS
------------------------------------

//LOGIN FILE: Located in "${JBOSS_HOME}/server/<server_name>/conf/login-config.xml"
//        the "<server-name>" is usually "default"  as most people use that folder.
//THIS GOES UNDER THE <policy> tag:
<application-policy name="EJBSecurityDomain">
<authentication>

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

<module-option name="dsJndiName">java:/MSQLDS</module-option>

<module-option name-"principalsQuery">Select passwd from Users where username = ?</module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?</module-option>
</login-module>
</authentication>
</application-policy>

NEEDED TO COMPILE AND RUN CLIENT
---------------------------------------------------------
NOTE: you will need these jars for BOTH compiling AND running THE CLIENT
//ALL CLIENT JARS
${JBOSS_HOME}/client/*.jar
//THIS IS THE KEY!!! THIS IS THE JAR THEY DON'T TELL YOU
//ABOUT, BUT THAT HAS THE JAAS CLASSES!!!
${JBOSS_HOME}/server/all/lib/jbosssx.jar
RUNTIME SYSTEM PROPERTIES FOR CLIENT - REQUIRED
----------------------------------------------------------------
//NOTE: ALL THESE ARE FOR RUNNING THE CLIENT!!!
-Djava.security.manager
//I WILL GIVE YOU WHAT THIS FILE MUST CONTAIN
-Djava.security.auth.login.config=auth.conf
//I WILL GIVE YOU A SAMPLE OF THIS, JUST FOR TESTING
-Djava.security.policy=ourtest.policy
-Djava.security.auth.policy=ourtest.policy
CONFIG FILE (FOR CLIENT): auth.conf
------------------------------------------------------

POLICY FILE (FOR CLIENT): ourtest.policy
-----------------------------------------------------------

OK, I believe that's all you need! I think that the class for using a properties file for a login usernames/passwords is: org.jboss.security.ClientLoginModule. So if you don't want to use the database for your tests, replace all the DB Module classes listed in the files above with this one.

OK, I spent alot of time putting this together because i know it stinks to not be able to find it anywhere. i went through it myself and i don't want anyone else to be frustrated. All I ask is this:
1. Anytime you are searching for the answer to how to do something and alot of people also want to know, and then you come up with the answer - POST IT!!
2. I need to know how to use resource-env-ref or resource-ref with Jetty (only Jetty). Anyone who knows, please post it for me! Thanks!
Robert
[ January 27, 2003: Message edited by: Robert Paris ]
[ January 17, 2004: Message edited by: Robert Paris ]

Why don't you write this up as an article and we'll put it in the JavaRanch newsletter.

Will do! Couple Questions:
1. Is there a basic format you'd like me to follow?
2. Where do I send the article when I finish it?
3. What about source code? I did not include a complete working version there (for example I used a database auth version, but didn't include my code for getting that to work. I can include that no problem in the article)
4. What about updates to the article/source code? In other words - I have time right now to create a full working version with MS SQL Server as the database, but no time to do that plus a MySQL version, properties version, etc. However, I could every now and then add those versions when I have free time. Is this possible?
Thanks!

I have tried following your example here using mysql. When I add the following code to login-config.xml as suggested
<application-policy name="EJBSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?<module-option>
<login-module>
</authentication>
</application-policy>
I get the following error on starting JBoss
09:12:42,087 WARN [XMLLoginConfigImpl] Failed to load config: file:/Applications/jboss-3.0.6/server/default/conf/login-config.xml
org.jboss.security.auth.login.ParseException: Encountered "<?xml" at line 1, column 1.
Was expecting one of:
<EOF>
<IDENTIFIER> ...

What am I doing wrong in following your example?
Thanks

Well, you see this line:
<module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option>
You never CLOSE the module-option. You have the same problem for the next one as well.

Hi there,
I got the exact same error message as Lee posted previously. It is definitely not a syntax problem with my login-config.xml. I validated it against its DTD without any errors. Anyway, the error message doesn't seem to make much sense - what is wrong with an xml file beginning with <?xml verison=....>? I'd appreciate any recommendations you might have.
Cheers
Georg

Ok, after spending the better half of the day browsing forums and experimenting, I found the solution to the problem. To be able to propagate the authenticated principal to the EJB-Container from a Java-Client (e.g. JUnit) my auth.conf entry now looks as follows:
LineSecurityDomain {
org.jboss.security.auth.spi.UsersRolesLoginModule required;
org.jboss.security.ClientLoginModule required;
};
As stated in the JBoss documentation, the ClientLoginModule is responsible for propagating the principal! It did only work by incorporating the entry in the LineSecurityDomain configuration! Using the following approach didn't work.
LineSecurityDomain {
org.jboss.security.auth.spi.UsersRolesLoginModule required;
};
other {
org.jboss.security.ClientLoginModule required;
}
Hope this helps!
Georg

Please note: Although the above description is better than anything I've found on JBoss' website and documentation. There are at least a few bugs in it. The code that reads:

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"><module-option name="dsJndiName">java:/MSQLDS</module-option><module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option><module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?<module-option><login-module>

Should read:
<application-policy name="EJBSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

<module-option name="dsJndiName">java:/MSQLDS</module-option>

<module-option name="principalsQuery">Select passwd from Users where username = ?</module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?</module-option>
</login-module>
</authentication>
</application-policy>
There are three tags that need to be properly closed (two module-option tags and the login-module tag) and a couple ill-defined attributes. All of these errors result in the unhelpful XML parse diagnostic about the <?xml identifier.
Still trying to log in!! :roll:

Did you ever get a chance to log in? I am having problems with the above example, such as why a Prinicpal class was created in the login and what client needs to be compiled?? Any help would be appreciated.
And is this written up somewhere? I looked for a newsletter but have not found one.
Thanks,
Chris

Robert,
You rock!!! I was in desperate need of a solution to this problem and your tutorial gave me most of what I needed. I had to make a few corrections for JBoss 3.2.5. If you'd like, I could post them. You saved me from a disaster - I needed to make this work so I could teach an EJB class on JBoss. Thanks again.

Tom Marrs

Finally I think Im on the right track here. Did you ever get to create a complete example? Id love to have that, cause Ive been banging my head against the wall the last couple of decades it feels like.

And I totally agree. POST THE SOLUTION WHEN YOU FIND IT. So other people dont have to bang their head till it cracks.