Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

EJB logout with CSIV2 authentification

44 views
Skip to first unread message

zako...@gmail.com

unread,
Apr 9, 2008, 10:58:34 AM4/9/08
to
Hi<br />
<br />
Im using secured EJB's over CSIV2 authentification, for that I setup my client application that reads sas.client.props and ssl.client.props and connect's correctly with EJB's, now the problem is when I try to log-in on that EJB's with another user on the same client program and thread, for that I change the com.ibm.CORBA.loginUserid and com.ibm.CORBA.loginPassword properties with the new username, but when EJB's try to get the username with "getCallerPrincipal().getName()" still appears the old username that was logged before.<br />
<br />
The EJB are SessionBean stateless.<br />
<br />
I tried to create a new home and lookup of the EJB but still remains the old user on context. <br />
<br />
¿There is any command to logout using this kind of authentification?

Paul Ilechko

unread,
Apr 9, 2008, 1:59:57 PM4/9/08
to

subject.doAs changes the identity on a thread.

zako...@gmail.com

unread,
Apr 10, 2008, 3:27:19 AM4/10/08
to
Hi<br />
<br />
Thanks for your answer, but I still have some questions. Seems that when I log-in for first time on WAS it validates client JVM, because I get some traces of SAS such as:<br />
<p />
10-abr-2008 9:24:06 SASRas<br />
AUDIT: security.GettingConfig<br />
10-abr-2008 9:24:07 SASRas<br />
AUDIT: security.Protocol<br />
10-abr-2008 9:24:07 SASRas<br />
AUDIT: security.AuthTarget<br />
10-abr-2008 9:24:07 SASRas<br />
AUDIT: security.RegisterCurrent<br />
10-abr-2008 9:24:08 SASRas<br />
AUDIT: security.LoadSCI<br />
10-abr-2008 9:24:08 SASRas<br />
AUDIT: security.ClientCSI<br />
<br />
With WSSubject.doAs() can I run that validation again? Also remember that im not using JAAS so on client I don't have any instance of LoginContext or Subject<br />
<br />
Any idea? thanks in advance.

Paul Ilechko

unread,
Apr 10, 2008, 8:45:57 AM4/10/08
to

There is no way to login without using JAAS, so I don't understand what
you mean.

zako...@gmail.com

unread,
Apr 10, 2008, 11:06:28 AM4/10/08
to
Ok, I will try to explain what I did with a little example application.<br />
<br />
First of all I did a small session ejb without state called PruebaService.java with only this method:<br />
<br />
/**<br />
* An example business method<br />
* <br />
* @ejb.interface-method view-type = "remote"<br />
* <br />
* @throws EJBException<br />
* Thrown if method fails due to system-level error.<br />
*/<br />
public void imprimeUser()<br />
{<br />
System.out.println("PruebaService.imprimeUser()");<br />
System.out.println("USUARIO");<br />
System.out.println(ctx.getCallerPrincipal().getName());<br />
System.out.println("FIN");<br />
} <br />
<br />
For calling that EJB I create a simple java client (PruebaWebSphere.java)<br />
<br />
public class PruebaWebSphere<br />
{<br />
<br />
public static void main(String[] args)<br />
{<br />
<br />
/* PRUEBA WEBSPHERE */<br />
try<br />
{<br />
System.out.println("PruebaWebSphere.main()");<br />
Properties env = new Properties();<br />
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.ibm.websphere.naming.WsnInitialContextFactory");<br />
env.setProperty(Context.PROVIDER_URL, "iiop://localhost:2809");<br />
env.setProperty(Context.URL_PKG_PREFIXES, "com.ibm.ws.naming");<br />
<br />
URL sasFileURL = PruebaWebSphere.class.getResource("sas.client.props");<br />
InputStream is = new BufferedInputStream(sasFileURL.openStream());<br />
System.getProperties().load(is);<br />
<br />
URL sslFileURL = PruebaWebSphere.class.getResource("ssl.client.props");<br />
InputStream ssl = new BufferedInputStream(sslFileURL.openStream());<br />
System.getProperties().load(ssl);<br />
<br />
String keystoreURI = PruebaWebSphere.class.getResource("key.p12").toExternalForm();<br />
System.setProperty("com.ibm.ssl.keyStore", keystoreURI);<br />
String trustStoreURI = PruebaWebSphere.class.getResource("trust.p12").toExternalForm();<br />
System.setProperty("com.ibm.ssl.trustStore", trustStoreURI);<br />
<br />
System.setProperty("com.ibm.CORBA.securityServerHost", "localhost");<br />
System.setProperty("com.ibm.CORBA.securityServerPort", "2809");<br />
<br />
System.setProperty("com.ibm.CORBA.loginUserid", "admin");<br />
System.setProperty("com.ibm.CORBA.loginPassword", "admin");<br />
<p />
Context ctx = new InitialContext(env);<br />
PruebaServiceHome home = (PruebaServiceHome) javax.rmi.PortableRemoteObject.narrow(ctx.lookup("ejb/PruebaService"), PruebaServiceHome.class);<br />
PruebaService serviceLocal = home.create();<br />
<br />
System.out.println("Inicio. Imprimo el usuario con login");<br />
serviceLocal.imprimeUser();<br />
<br />
System.out.println("Fin llamada cliente");<br />
}<br />
catch (Exception e)<br />
{<br />
e.printStackTrace();<br />
}<br />
<br />
}// End of main()<br />
}<br />
<br />
And finally this is my configuration of properties files<br />
<br />
<u>sas.client.props</u><br />
<br />
com.ibm.CORBA.securityEnabled=true<br />
com.ibm.CORBA.authenticationTarget=BasicAuth<br />
com.ibm.CORBA.authenticationRetryEnabled=true<br />
com.ibm.CORBA.authenticationRetryCount=3<br />
com.ibm.CORBA.validateBasicAuth=true<br />
com.ibm.CORBA.securityServerHost=<br />
com.ibm.CORBA.securityServerPort=<br />
com.ibm.CORBA.loginTimeout=300<br />
com.ibm.CORBA.loginSource=properties<br />
<br />
<ol>
<li>RMI/IIOP user identity</li>
</ol>
com.ibm.CORBA.loginUserid=<br />
com.ibm.CORBA.loginPassword=<br />
<br />
com.ibm.CSI.performStateful=true<br />
<br />
com.ibm.CSI.performClientAuthenticationRequired=true<br />
com.ibm.CSI.performClientAuthenticationSupported=true<br />
<br />
com.ibm.CSI.performTLClientAuthenticationRequired=false<br />
com.ibm.CSI.performTLClientAuthenticationSupported=false<br />
<br />
com.ibm.CSI.performTransportAssocSSLTLSRequired=false<br />
com.ibm.CSI.performTransportAssocSSLTLSSupported=true<br />
<br />
com.ibm.CSI.performMessageIntegrityRequired=true<br />
com.ibm.CSI.performMessageIntegritySupported=true<br />
<br />
com.ibm.CSI.performMessageConfidentialityRequired=false<br />
com.ibm.CSI.performMessageConfidentialitySupported=true<br />
<br />
com.ibm.ssl.alias=DefaultSSLSettings<br />
<br />
com.ibm.CORBA.requestTimeout=180<br />
<br />
<u>ssl.client.props</u><br />
<br />
com.ibm.ssl.keyStoreName=ClientDefaultKeyStore<br />
<br />
com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=<br />
com.ibm.ssl.keyStoreType=PKCS12<br />
com.ibm.ssl.keyStoreProvider=IBMJCE<br />
com.ibm.ssl.keyStoreFileBased=true<br />
<br />
com.ibm.ssl.trustStoreName=ClientDefaultTrustStore<br />
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=<br />
com.ibm.ssl.trustStoreType=PKCS12<br />
com.ibm.ssl.trustStoreProvider=IBMJCE<br />
com.ibm.ssl.trustStoreFileBased=true<br />
<br />
With all that I obtain a correct authentification the first time I call that EJB, but if I chage de com.ibm.CORBA.loginUserid property and com.ibm.CORBA.loginUserPassword property does not revalidate that authentification, so for all that my question is: <br />
<br />
¿How I do the logout using CSIv2 system?<br />
<br />
Thanks for your answers I still hope you can help me out with this.<br />
<br />
best regards

Paul Ilechko

unread,
Apr 10, 2008, 12:48:42 PM4/10/08
to
zako...@gmail.com wrote:
> Ok, I will try to explain what I did with a little example application.<br />

> <br />


> With all that I obtain a correct authentification the first time I call that EJB, but if I chage de com.ibm.CORBA.loginUserid property and com.ibm.CORBA.loginUserPassword property does not revalidate that authentification, so for all that my question is: <br />
> <br />
> ¿How I do the logout using CSIv2 system?<br />
> <br />
> Thanks for your answers I still hope you can help me out with this.<br />
> <br />
> best regards

I suggest you read the WAS infocenter article on client programming, so
that you can see how to do a JAAS login from your client. You should be
able to re-login with a different user and set the new context on the
thread with subject.doAs.

zako...@gmail.com

unread,
Apr 11, 2008, 2:46:19 AM4/11/08
to
Ok, I will try to change my login process to JAAS. <br />
<br />
For all that I was reading the IBM Websphere 6.1 Security Redbook.pdf and downloaded the example app using JAAS that is with the book and doesn't worked on my websphere installation, does anybody try it?<br />
<br />
You can find the book here; Link: <a class="jive-link-external" href="http://www.redbooks.ibm.com/abstracts/sg246316.html?Open">http://www.redbooks.ibm.com/abstracts/sg246316.html?Open</a> <br />
<br />
And the zip with the example application that uses JAAS<br />
<a class="jive-link-external" href="ftp://www.redbooks.ibm.com/redbooks/SG246316">ftp://www.redbooks.ibm.com/redbooks/SG246316</a><br />
<br />
Thanks for all your help.

zako...@gmail.com

unread,
Apr 11, 2008, 2:50:10 AM4/11/08
to
Seems impossible to logout using CSIv2 authentification method, I must change to JAAS system.

saurabh narang

unread,
Apr 11, 2008, 8:37:09 AM4/11/08
to
Hi Zako,<br />
<br />
You would need to uncheck "Stateful sessions" in the CSIV2 inbound authentication settings. Once, the first contact between a client and server is fully authenticated, all subsequent contacts with valid sessions reuse the security information if this checkbox is checked.<br />
<br />
Hope this solves your problem.<br />
<br />
Regards

zako...@gmail.com

unread,
Apr 14, 2008, 4:08:41 AM4/14/08
to
Hi Saurabh

I tried what you said, uncheking that option on my administrative console, but it still not works as I want, there is any way to invalidate the client session? I mean, any command or something I can call to do that, and make WAS to re-validate my security.

I tried creating two home's and the resutls are still the same:

Client


System.setProperty("com.ibm.CORBA.loginUserid", "admin");

System.setProperty("com.ibm.CORBA.loginPassword", "admin");


Context ctx = new InitialContext(env);

PruebaServiceHome home = (PruebaServiceHome) javax.rmi.PortableRemoteObject.narrow(ctx.lookup("ejb/PruebaService"), PruebaServiceHome.class);

PruebaService serviceLocal = home.create();

System.out.println("Inicio. Imprimo el usuario con login");

serviceLocal.imprimeUser();

System.setProperty("com.ibm.CORBA.loginUserid", "ORION");

System.setProperty("com.ibm.CORBA.loginPassword", "ORION");

Context ctx2 = new InitialContext(env);

PruebaServiceHome home2 = (PruebaServiceHome) javax.rmi.PortableRemoteObject.narrow(ctx2.lookup("ejb/PruebaService"), PruebaServiceHome.class);

PruebaService serviceLocal2 = home2.create();

serviceLocal2.imprimeUser();

Server traces


14/04/08 10:06:52:234 CEST 00000025 SystemOut O PruebaService.imprimeUser()

14/04/08 10:06:52:234 CEST 00000025 SystemOut O USUARIO

14/04/08 10:06:52:234 CEST 00000025 SystemOut O admin

14/04/08 10:06:52:234 CEST 00000025 SystemOut O IP

14/04/08 10:06:52:234 CEST 00000025 SystemOut O FIN

14/04/08 10:06:52:250 CEST 00000025 SystemOut O PruebaService.imprimeUser()

14/04/08 10:06:52:250 CEST 00000025 SystemOut O USUARIO

14/04/08 10:06:52:250 CEST 00000025 SystemOut O admin

14/04/08 10:06:52:250 CEST 00000025 SystemOut O IP

14/04/08 10:06:52:250 CEST 00000025 SystemOut O FIN

0 new messages