users@glassfish.java.net

Re: [GF 3.1] EJB securisation with username_password

From: Kumar Jayanti <v.b.kumar.jayanti_at_oracle.com>
Date: Fri, 29 Apr 2011 22:24:05 +0530

On 29-Apr-2011, at 6:03 PM, forums_at_java.net wrote:

> Hello,
>
> I am trying to use an EJB as a service for an authentication realm. To give a
> little more explanations, i will have intermediate servers, which i have to
> authenticate, that will access that EJB service and use its functions to
> authenticate users. So basically, i wanted to use SSL certificates to
> authenticate the IS (intermediate servers) against the EJB hosted by the CS
> (central server.). But the EJB call only partially works when there is no IS
> involved, and EJBContext.getCallerPrincipal() only returned anonymous,
> whereas when using an IS, the call would fail returning the problem described
> in that bug report: http://java.net/jira/browse/GLASSFISH-16492 [1]

I believe you are running into this :
http://download.oracle.com/docs/cd/E19226-01/820-7688/gjktd/index.html

>
> So i switched back to use username_password authentication mechanism instead,
> with programmatic login - in order to authenticate the IS. But that wouldn't
> work either: it would give me a Runtime exception stating 'Cannot propagate
> username/password when using run as identity.' But i've never used the
> @RunAs().
The error message is a but misleading but what it means is that an Intermediate Server cannot send a CAT (Client Authentication Token) to the Central Server. It can only send an IDT (Identity Token) to the Central Server.

IOW, the sun-ejb-jar.xml (glassfish-ejb-jar.xml) for the Central Server should have a sas-context element and not an as-context.

<!--
sas-context (related to CSIv2 security attribute service) element describes
the sas-context fields.
-->
<!ELEMENT sas-context ( caller-propagation )>

<!--
caller-propagation element indicates if the target will accept propagated caller identities
The values are NONE or SUPPORTED.
-->

<!--
as-context (CSIv2 authentication service) is the element describing the authenti
cation
mechanism that will be used to authenticate the client. If specified it will be
the
username-password mechanism.
-->
<!ELEMENT as-context ( auth-method, realm, required )>


Now if your design is such that the EJB on the Central server can also be directly contacted (in addition to being contacted by the intermediate) by an End-User Client (one who has a username/password) then you could be in trouble, you should make as-context required to false and make sure SSL is used underneath.



> I thought the problem resided in the way i was looking up the remote EJB and
> found out the Java EE 5 EJB FAQ and followed the guide, and used ejb refs to
> look up remote EJBs... and still, no luck. I'm getting the same root cause as
> the certificate issue:
>
>
>
> *xception*
>
>
> javax.servlet.ServletException: PWC1392: Error instantiating servlet class
> com.hypsoma.test.CallServlet
>
>
> *root cause*
>
> com.sun.enterprise.container.common.spi.util.InjectionException: Error
> creating managed object for class com.hypsoma.test.CallServlet
>
>
> *root cause*
>
> com.sun.enterprise.container.common.spi.util.InjectionException: Exception
> attempting to inject Remote ejb-ref name=CustomerAuthEjbRef,Remote 3.x
> interface
> =com.hypsoma.hades.auth.CustomerAuthEjbRemote,ejb-link=null,lookup=,mappedName=,jndi-name=corbaname:iiop:localhost:23700#java:global/hades/auth-0.0.1-SNAPSHOT/CustomerAuthEjb!com.hypsoma.hades.auth.CustomerAuthEjbRemote,refType=Session
> into class com.hypsoma.test.CallServlet
>
>
> *root cause*
>
> javax.naming.NamingException: Lookup failed for
> 'java:comp/env/CustomerAuthEjbRef' in
> SerialContext[myEnv={java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
> java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
> java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception is
> javax.naming.NamingException: ejb ref resolution error for remote business
> interfacecom.hypsoma.hades.auth.CustomerAuthEjbRemote [Root exception is
> org.omg.CORBA.OBJECT_NOT_EXIST: FINE: IOP02500002: Failed to create or locate
> Object Adaptor vmcid: SUN minor code: 2 completed: No]]
>
>
> *root cause*
>
> javax.naming.NamingException: ejb ref resolution error for remote business
> interfacecom.hypsoma.hades.auth.CustomerAuthEjbRemote [Root exception is
> org.omg.CORBA.OBJECT_NOT_EXIST: FINE: IOP02500002: Failed to create or locate
> Object Adaptor vmcid: SUN minor code: 2 completed: No]
>
>
> *root cause*
>
> org.omg.CORBA.OBJECT_NOT_EXIST: FINE: IOP02500002: Failed to create or locate
> Object Adaptor vmcid: SUN minor code: 2 completed: No
>
>
> *root cause*
>
>
>
> is my corbaname wrong ?
>
>
>
>
> <ejb-ref>
> <ejb-ref-name>CustomerAuthEjbRef</ejb-ref-name>
> <!-- corbaname:iiop:<host>:<port>#<global_jndi_name> -->
> <jndi-name>corbaname:iiop:stakhanov.hypsoma.com:3700#java:global/hades/auth-0.0.1-SNAPSHOT/CustomerAuthEjb!com.hypsoma.hades.auth.CustomerAuthEjbRemote</jndi-name>
> </ejb-ref>
>
>
>
> [1] http://java.net/jira/browse/GLASSFISH-16492
>
> --
>
> [Message sent by forum member 'brzhk']
>
> View Post: http://forums.java.net/node/796678
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.