Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

JAAS Login and secure EJB lookup based on security handbook

97 views
Skip to first unread message

zako...@gmail.com

unread,
Apr 22, 2008, 5:39:56 AM4/22/08
to
Hi

Few days ago, I was reading the IBM Websphere 6.1 Security Redbook I've downloaded the demo that includes to test different login procedures.

Well I can run that demo only using the launchclient.bat utility that comes with Websphere Application Client and seems to run fine.

The book tells also another way to launch the client, with buildClientRuntime tool (found in \bin\buildClientRuntime.bat I can create a .jar file with the JRE environment, but I dont really now how to install or use it, because the info I found only tells how to use that .jar with java web start.

By other way, I copied the client files to my eclipse IDE and tried to execute it, for that I configured the JRE to execute as de JDK that comes with WAS_HOME\java also I included all libraries that the utility \bin\buildClientLibJars.bat and the properties and key files needed, I mean sas.client.props and wsjaas_client.conf under properties directory, and DummyClientKeyFile.jks, DummyClientTrustFile.jks under keys directory.

With all that I executed the ThinClient.java and the results where:


Thin Itsohello clients:

a. UNSECURED CLIENT.

Access the unsecured Hello bean. If you still get an authentication

challenge window, just click "Cancel". Or you can also change the property

"com.ibm.CORBA.loginSource" to "none" in the file "sas.client.props"

found in the sub-directory thinClient\properties.

b. SECURED CLIENT.

Access the secured Hello bean. You should be authenticated, otherwise the app

will throw an exception. If you don't get an authentication challenge

window, you need to change the property

"com.ibm.CORBA.loginSource" to "prompt" in the file "sas.client.props"

found in the sub-directory thinClient\properties.

c. SECURED CLIENT with JAAS.

Access the secured Hello bean using JAAS. Authentication is done via JAAS.

d. SECURED CLIENT with JAAS using custom callback handler.

Similar like (c) but with custom callback handler

Please enter your choice (a/b/c/d): c


22-abr-2008 11:27:58 SASRas

AUDIT: security.LoadSCI

22-abr-2008 11:27:59 SASRas

AUDIT: security.GettingConfig

22-abr-2008 11:27:59 com.ibm.ws.ssl.config.SSLConfigManager

INFORMACIàN: ssl.disable.url.hostname.verification.CWPKI0027I

22-abr-2008 11:27:59 SASRas

AUDIT: security.AuthTarget

22-abr-2008 11:27:59 SASRas

AUDIT: security.ClientCSI

22-abr-2008 11:28:16 SASRas

AUDIT: security.LoadSCI

22-abr-2008 11:28:16 SASRas

AUDIT: security.ClientCSI

Fails to create subject.

SECJ0395E: No se ha podido localizar el SecurityServer en el host/puerto:{0} para validar el ID de usuario y la contraseña especificados. Puede que tenga que especificar un securityServerHost/Port válido en el archivo ${WAS_INSTALL_ROOT}/profiles/nombre_perfil/properties/sas.client.props.

Accessing SecuredHello bean using JAAS

Message from Hello bean: none



22-abr-2008 11:28:16 com.ibm.ws.naming.util.WsnInitCtxFactory

AVISO: jndiUnavailCommErr

22-abr-2008 11:28:16 com.ibm.WebSphereSecurityImpl.SecurityServerImpl

GRAVE: security.securityserver.error


The sas.client.props points correctly to the server and port where websphere is installed.

After all that, and looking for help on IBM Information Center I found anothe example of JAAS Login, I tried it too, but the results where similar, didn't worked for me.

Here is the example:


Hashtable env = new Hashtable();

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.ibm.websphere.naming.WsnInitialContextFactory");

env.put(Context.PROVIDER_URL, "corbaloc:iiop:localhost:2809");

System.setProperty("com.ibm.CORBA.securityServerHost", "localhost");

System.setProperty("com.ibm.CORBA.securityServerPort", "2809");

Context initialContext = null;

initialContext = new InitialContext(env);

Object obj = initialContext.lookup("");

LoginContext lc = null;

Subject subject = null;

lc = new LoginContext("WSLogin", new WSCallbackHandlerImpl("admin","admin"));

lc.login();

subject = lc.getSubject();

// Establecer el asunto en la hebra para utilizarlo para las

// solicitudes de salida.

// Nota: esto sobrescribe el asunto existente, que es recomendable

// que guarde primero.

com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(subject);

PruebaServiceHome home = (PruebaServiceHome) javax.rmi.PortableRemoteObject.narrow(initialContext.lookup("ejb/PruebaService" ), PruebaServiceHome.class);

PruebaService serviceLocal = home.create();

System.out.println("Inicio. Imprimo el usuario con login");

serviceLocal.imprimeUser();


Where the method imprimeUser() only does a System.out.println(ctx.getCallerPrincipal().getName()); printing the user that is logged in.


And the error trace is:


22-abr-2008 11:35:13 SASRas

AUDIT: security.LoadSCI

22-abr-2008 11:35:14 SASRas

AUDIT: security.GettingConfig

22-abr-2008 11:35:14 com.ibm.ws.ssl.config.SSLConfigManager

INFORMACIàN: ssl.disable.url.hostname.verification.CWPKI0027I

22-abr-2008 11:35:14 SASRas

AUDIT: security.AuthTarget

22-abr-2008 11:35:14 SASRas

AUDIT: security.ClientCSI



22-abr-2008 11:35:15 com.ibm.ws.naming.util.WsnInitCtxFactory

AVISO: jndiUnavailCommErr

javax.naming.ServiceUnavailableException: A communication failure occurred while attempting to obtain an initial context with the provider URL: "corbaloc:iiop:localhost:2809". Make sure that any bootstrap address information in the URL is correct and that the target name server is running. A bootstrap address with no port specification defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. Root exception is org.omg.CORBA.INTERNAL: initial and forwarded IOR inaccessible vmcid: IBM minor code: 58C completed: No

at com.ibm.ws.naming.util.WsnInitCtxFactory.mapInitialReferenceFailure(WsnInitCtxF actory.java:2224)

at com.ibm.ws.naming.util.WsnInitCtxFactory.mergeWsnNSProperties(WsnInitCtxFactory .java:1384)

at com.ibm.ws.naming.util.WsnInitCtxFactory.getRootContextFromServer(WsnInitCtxFac tory.java:922)

at com.ibm.ws.naming.util.WsnInitCtxFactory.getRootJndiContext(WsnInitCtxFactory.j ava:846)

at com.ibm.ws.naming.util.WsnInitCtxFactory.getInitialContextInternal(WsnInitCtxFa ctory.java:531)

at com.ibm.ws.naming.util.WsnInitCtx.getContext(WsnInitCtx.java:117)

at com.ibm.ws.naming.util.WsnInitCtx.getContextIfNull(WsnInitCtx.java:712)

at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:171)

at javax.naming.InitialContext.lookup(InitialContext.java:363)

at prueba.was.PruebaJAAS.main(PruebaJAAS.java:43)

Caused by: org.omg.CORBA.INTERNAL: initial and forwarded IOR inaccessible vmcid: IBM minor code: 58C completed: No

at com.ibm.rmi.corba.ClientDelegate.createRequest(ClientDelegate.java:1213)

at com.ibm.CORBA.iiop.ClientDelegate.createRequest(ClientDelegate.java:1320)

at com.ibm.rmi.corba.ClientDelegate.createRequest(ClientDelegate.java:1109)

at com.ibm.CORBA.iiop.ClientDelegate.createRequest(ClientDelegate.java:1286)

at com.ibm.rmi.corba.ClientDelegate.request(ClientDelegate.java:1816)

at com.ibm.CORBA.iiop.ClientDelegate.request(ClientDelegate.java:1242)

at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:458)

at com.ibm.WsnBootstrap._WsnNameServiceStub.getProperties(_WsnNameServiceStub.java :38)

at com.ibm.ws.naming.util.WsnInitCtxFactory.mergeWsnNSProperties(WsnInitCtxFactory .java:1367)

... 8 more


I attach the demo, if anybody can helpme with this.

Thanks in advance

0 new messages