SecurityException (Invalid Subject) with custom LoginModule
samwoo
Hi all, I'm current running WLS7 SP2. I have been trying to use the default weblogic
authentication provider with my LoginModule, but with no luck. In my LoginModule,
I adds one principal ("god") to the Subject and return the Subject to the client.
The client than calls weblogic.security.Security.runAs(Subject, PrivilegedAction)
to invoke a secured EJB method. However, the server generates an "Invalid Subject"
SecurityException. It seems that it is failing at the point where the weblogic
security module try to validate the signature of the subject principals. In my
case, I have implemented a UserPrincipal class which implements the java.security.Principal.
I could not find any document on how to use the default weblogic principal validator
in conjuction with my custom principal class. I would really appreciate any help
on how to solve my problem.
Here is the stack track of my security exception:
java.lang.SecurityException: Invalid Subject: principals=[god]
java.lang.SecurityException: Invalid Subject: principals=[god]
at weblogic.security.service.SecurityServiceManager.seal(SecurityService
Manager.java:993)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.ja
va:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:309)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:30)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)
>
<Jan 7, 2004 1:39:24 PM PST> <Warning> <rmi> <080003> <RuntimeException thrown
b
y rmi server: com.kirus.chicago.admin.impl.AdminServiceSessionBean_u8yzk6_EOImpl
.remove()
java.lang.SecurityException: Invalid Subject: principals=[god]
java.lang.SecurityException: Invalid Subject: principals=[god]
at weblogic.security.service.SecurityServiceManager.seal(SecurityService
Manager.java:993)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.ja
va:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:309)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:30)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)
>
Lloyd Fernandes
Here's a barebone sample. You should put relevant code into sign/validate methods
/**
*
* @author Lloyd Fernandes
*/
public class WLSPrincipalKRBValidator implements weblogic.security.spi.PrincipalValidator
{
/** Creates a new instance of WLSPrincipalKRBValidator */
public WLSPrincipalKRBValidator()
{
System.out.println("WLSPrincipalKRBValidator");
}
public Class getPrincipalBaseClass()
{
System.out.println("WLSPrincipalKRBValidator: getPrincipalBaseClass");
return javax.security.auth.kerberos.KerberosPrincipal.class;
}
public boolean sign(java.security.Principal principal)
{
System.out.println("WLSPrincipalKRBValidator: sign " + principal.getName());
return true;
}
public boolean validate(java.security.Principal principal) throws java.lang.SecurityException
{
System.out.println("WLSPrincipalKRBValidator: validate " + principal.getName());
return true;
}
}
Neil
default principal validator will sign all of those Principals. It is
probably easiest to use WLSAbstractPrincipal
(http://e-docs.bea.com/wls/docs81/javadocs/weblogic/security/principal/WLSAb
stractPrincipal.html) or one of its sub classes (WLSGroupImpl, WLSUserImpl),
whichever is most appropriate. Just make sure that if your Principal has
more than a name to it that your getSignedData() method is correctly
implemented.
- Neil
"samwoo" <ssaamm...@yahoo.com> wrote in message
news:3ffc9080$1...@newsgroups.bea.com...