How to use a custom JAAS application login module in EJB 2.1

kar...@msn.com

unread,

Feb 22, 2008, 9:40:28 PM2/22/08

to

Hi, I built a custom JAAS login module, and added to my "Application Logins" following the introduction in "IBM WebSphere Application 
Server V6.1 Security Handbook". But I don't know how to use the "Alias" specified in "Application Logins" to secure my EJB project. 
 
If you have any idea about this, help me out, please!

Paul Ilechko

unread,

Feb 22, 2008, 9:57:58 PM2/22/08

to

kar...@msn.com wrote:
> Hi, I built a custom JAAS login module, and added to my "Application
> Logins" following the introduction in "IBM WebSphere Application

> Server V6.1 Security Handbook". But I don't know how to use the
> "Alias" specified in "Application Logins" to secure my EJB project.

> If you have any idea about this, help me out, please!

What are you actually trying to achieve ?

kar...@msn.com

unread,

Feb 23, 2008, 12:00:28 AM2/23/08

to

OK, Here is my situation: 
 
1. I built a custom login module as below into my EAR including a very simple EJB with declarative security done by ejb-jar.xml. 
<hr />
package tutorial; 
 
import java.io.IOException; 
import java.security.Principal; 
import java.util.Map; 
 
import javax.security.auth.Subject; 
import javax.security.auth.callback.Callback; 
import javax.security.auth.callback.CallbackHandler; 
import javax.security.auth.callback.NameCallback; 
import javax.security.auth.callback.PasswordCallback; 
import javax.security.auth.callback.UnsupportedCallbackException; 
import javax.security.auth.login.LoginException; 
import javax.security.auth.spi.LoginModule; 
 
import com.ibm.ws.security.common.auth.WSPrincipalImpl; 
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback; 
 
public class WebsphereLoginModule implements LoginModule { 
      private Subject subject; 
      private CallbackHandler callbackHandler; 
      private Map<String, ?> sharedState; 
      private Map<String, ?> options; 
      private boolean succeeded = false; 
      private String username; 
      private String password; 
      private Principal principal; 
       
      public boolean abort() throws LoginException { 
            return true; 
      } 
 
      public boolean commit() throws LoginException { 
            if(!succeeded) { 
                  return false; 
            } 
            principal = new WSPrincipalImpl("authenticated"); 
            if(!subject.getPrincipals().contains(principal)) { 
                  subject.getPrincipals().add(principal); 
            } 
            return true; 
      } 
 
      public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { 
            System.out.println("======================= INITIALIZING MY LOGIN MODULE ========================="); 
            this.subject = subject; 
            this.callbackHandler = callbackHandler; 
            this.sharedState = sharedState; 
            this.options = options;             
      } 
 
      public boolean login() throws LoginException { 
            if(callbackHandler == null) { 
                  throw new LoginException("Error: No CallbackHandler available"); 
            } 
             
            Callback[] callbacks = new Callback[3]; 
            callbacks[0] = new WSTokenHolderCallback(""); 
            callbacks[1] = new NameCallback("user name: "); 
            callbacks[2] = new PasswordCallback("password: ", false); 
             
             
            try { 
                  callbackHandler.handle(callbacks); 
            } catch (IOException e) { 
                  throw new LoginException(e.toString()); 
            } catch (UnsupportedCallbackException e) { 
                  throw new LoginException("Error" + e.getCallback().toString()); 
            } 
             
            boolean requiresLogin = ((WSTokenHolderCallback) callbacks[0]).getRequiresLogin(); 
            if(requiresLogin) { 
                  username = ((NameCallback) callbacks[1]).getName(); 
                  password = new String(((PasswordCallback) callbacks[2]).getPassword()); 
                  ((PasswordCallback) callbacks[2]).clearPassword(); 
                  System.out.println("======================= username: " + username); 
                  System.out.println("======================= password: " + password); 
                  succeeded = ("max".equals(username) && "secret".equals(password)); 
            } else { 
                  succeeded = true; 
            } 
             
            return succeeded; 
      } 
 
      public boolean logout() throws LoginException { 
            subject.getPrincipals().remove(principal); 
            return true; 
      } 
 
} 
<hr />
 
2. Added it to "Application Logins" fellows these steps like below. 
<hr />
You can add a new application JAAS login module configuration to the list. 
Perform the following steps: 
1. Under Application login configuration, click New. 
2. Provide an alias name, for example: MyLoginModule. 
3. Click Apply. Do not click OK yet, you are going to define the login module first 
before you save the configuration. 
4. Click JAAS login modules. 
5. Click New in the new window. 
6. Provide the fully qualified name (including package name) for your custom 
LoginModule implementation in the Module class name field, for example: 
com.ibm.itso.MyLoginModuleImpl 
Select the Use login module proxy check box, to ensure the class visibility 
for applications. For more information about the login module proxy, refer to 
the WebSphere Information Center. 
Select the authentication strategy, set as REQUIRED for now. The options 
include: REQUIRED, REQUISITE, SUFFICIENT, and OPTIONAL. For more 
information about the different strategies, refer to the WebSphere Information 
Center. 
7. Click OK. 
8. Save the configuration for WebSphere. 
 
3. Deploy to Websphere v6.1 using RAD 7, coded a thin client to test my EJB as below 
<hr />
package tutorial; 
 
import java.util.HashMap; 
import java.util.Hashtable; 
import java.util.Map; 
 
import javax.naming.Context; 
import javax.naming.InitialContext; 
import javax.rmi.PortableRemoteObject; 
import javax.security.auth.Subject; 
import javax.security.auth.callback.CallbackHandler; 
import javax.security.auth.login.AppConfigurationEntry; 
import javax.security.auth.login.Configuration; 
import javax.security.auth.login.LoginContext; 
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; 
 
import com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl; 
 
public class Main { 
      public static void main(String[] args) throws Exception { 
            final Map<String, String> cfg = new HashMap<String, String>(); 
            cfg.put("delegate", 
                        "com.ibm.ws.sec urity.common.auth.module.WSLoginModuleImpl"); 
            Configuration configuration = new javax.security.auth.login.Configuration() { 
                  private AppConfigurationEntry[] aces = { new AppConfigurationEntry( 
                          &nb sp;   "com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy", 
                          &nb sp;   LoginModuleControlFlag.REQUIRED, cfg) }; 
 
                  @Override 
                  public AppConfigurationEntry[] getAppConfigurationEntry(String name) { 
                        return "WSLogin".equals(name) ? aces : null; 
                  } 
 
                  @Override 
                  public void refresh() { 
                  } 
            }; 
            CallbackHandler loginHandler = new WSGUICallbackHandlerImpl(); 
            Subject subject = new Subject(); 
            LoginContext lc = new LoginContext("WSLogin", subject, loginHandler, 
                        configuration); 
            lc.login(); 
            // Subject subject = lc.getSubject(); 
 
            final String s = "max"; 
            Hashtable env = new Hashtable(); 
            env.put(Context.INITIAL_CONTEXT_FACTORY, 
                        "com.ibm.websph ere.naming.WsnInitialContextFactory"); 
            env.put(Context.PROVIDER_URL, "corbaloc:iiop:localhost:2809"); 
            Context ctx = new InitialContext(env); 
            Object obj = ctx.lookup("ejb/tutorial/HelloHome"); 
            HelloHome home = (HelloHome) PortableRemoteObject.narrow(obj, 
                        HelloHome.class ); 
            System.out.println(home.create().hello(s)); 
      } 
} 
<hr />
 
5. I got these error message as below, when run my client project 
<hr />
Feb 23, 2008 11:44:17 AM com.ibm.ws.util.ImplFactory 
WARNING: WSVR0073W 
Exception in thread "P=256375:O=0:CT" java.rmi.AccessException: CORBA NO_PERMISSION 0x0 No; nested exception is: 
      org.omg.CORBA.NO_PERMISSION: 
      >> SERVER (id=4773e3aa, host=maxop) TRACE START: 
      >> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is: 
      com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejb/tutorial/HelloHome create:2 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: jaasAdmin vmcid: 0x0 minor code: 0 completed: No 
      >>       at com.ibm.ws.security.core.SecurityCollaborator.performAuthorization(SecurityCollaborator.java:490) 
      >>       at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(EJSSecurityCollaborator.java:209) 
      >>       at com.ibm.ejs.container.EJSContainer.preInvokeForStatelessSessionCreate(EJSContainer.java:3612) 
      >>       at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.java:2833) 
      >>       at tutorial.EJSRemoteStatelessHelloHome_650957be.create(EJSRemoteStatelessHelloHome_650957be.java:90) 
      >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie.create(_EJSRemoteStatelessHelloHome_650957be_Tie.java:161) 
      >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie._invoke(_EJSRemoteStatelessHelloHome_650957be_Tie.java:86) 
      >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(ServerDelegate.java:613) 
      >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:466) 
      >>       at com.ibm.rmi.iiop.ORB.process(ORB.java:503) 
      >>       at com.ibm.CORBA.iiop.ORB.process(ORB.java:1552) 
      >>       at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2673) 
      >>       at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2551) 
      >>       at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:62) 
      >>       at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:95) 
      >>       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1510) 
      >> SERVER (id=4773e3aa, host=maxop) TRACE END. 
vmcid: 0x0 minor code: 0 completed: No 
      at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemException(UtilDelegateImpl.java:254) 
      at javax.rmi.CORBA.Util.mapSystemException(Util.java:84) 
      at tutorial._HelloHome_Stub.create(_HelloHome_Stub.java:228) 
      at tutorial.Main.main(Main.java:50) 
Caused by: org.omg.CORBA.NO_PERMISSION: 
      >> SERVER (id=4773e3aa, host=maxop) TRACE START: 
      >> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is: 
      com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)ejb/tutorial/HelloHome create:2 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: jaasAdmin vmcid: 0x0 minor code: 0 completed: No 
      >>       at com.ibm.ws.security.core.SecurityCollaborator.performAuthorization(SecurityCollaborator.java:490) 
      >>       at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(EJSSecurityCollaborator.java:209) 
      >>       at com.ibm.ejs.container.EJSContainer.preInvokeForStatelessSessionCreate(EJSContainer.java:3612) 
      >>       at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.java:2833) 
      >>       at tutorial.EJSRemoteStatelessHelloHome_650957be.create(EJSRemoteStatelessHelloHome_650957be.java:90) 
      >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie.create(_EJSRemoteStatelessHelloHome_650957be_Tie.java:161) 
      >>       at tutorial._EJSRemoteStatelessHelloHome_650957be_Tie._invoke(_EJSRemoteStatelessHelloHome_650957be_Tie.java:86) 
      >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(ServerDelegate.java:613) 
      >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:466) 
      >>       at com.ibm.rmi.iiop.ORB.process(ORB.java:503) 
      >>       at com.ibm.CORBA.iiop.ORB.process(ORB.java:1552) 
      >>       at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2673) 
      >>       at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2551) 
      >>       at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:62) 
      >>       at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:95) 
      >>       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1510) 
      >> SERVER (id=4773e3aa, host=maxop) TRACE END. 
vmcid: 0x0 minor code: 0 completed: No 
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:67) 
      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
      at java.lang.reflect.Constructor.newInstance(Constructor.java:521) 
      at com.ibm.rmi.iiop.ReplyMessage._getSystemException(ReplyMessage.java:241) 
      at com.ibm.rmi.iiop.ReplyMessage.getSystemException(ReplyMessage.java:189) 
      at com.ibm.rmi.iiop.ClientResponseImpl.getSystemException(ClientResponseImpl.java:232) 
      at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDelegate.java:534) 
      at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDelegate.java:1150) 
      at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDelegate.java:756) 
      at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDelegate.java:1180) 
      at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:484) 
      at tutorial._HelloHome_Stub.create(_HelloHome_Stub.java:215) 
      ... 1 more 
<hr />
6. And none of "System.out.println" in my WebsphereLoginModule.java was executed. 
 
So, my problem is how to make Websphere to call my WebsphereLoginModule instand of the default one when I try to call my EJB.

Paul Ilechko

unread,

Feb 23, 2008, 8:40:17 AM2/23/08

to

kar...@msn.com wrote:

> So, my problem is how to make Websphere to call my
> WebsphereLoginModule instand of the default one when I try to call my
> EJB.

Well, the code you listed was completely unreadable because the web site
screws everything up for NNTP users. But you have not explained why you
need a custom login module. What are you trying to do that WAS won't do
by default? What is your user registry?

Assuming that you even need one, why try to use an application config
rather than add your module to RMI_INBOUND ?

I suggest that you begin by reading this paper:

http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html

kar...@msn.com

unread,

Feb 23, 2008, 11:50:24 AM2/23/08

to

<div class="jive-quote">But you have not explained why you need a custom login module. What are you trying to do that WAS won't do by default? What is your user registry?</div>
 
Because I need to implement a bunch of business logic in my login module. I use Oracle to store user information. 
 
<div class="jive-quote">why try to use an application config rather than add your module to RMI_INBOUND ?</div>
 
My login module only be useful to my enterprise application, and I don't want it to effect other applications.

kar...@msn.com

unread,

Feb 24, 2008, 9:05:39 AM2/24/08

to

There is something like "Security domain" in JBoss can achieve my purpose.<hr />
<jboss> 
   <security-domain>java:/jaas/JawJaasDbRealm</security-domain> 
   ... 
</jboss> 
<hr />
 
I don't know how to make it in Websphere.