Discussions

EJB programming & troubleshooting: Urgent Help Need on JAAS with Websphere

  1. Urgent Help Need on JAAS with Websphere (8 messages)

    Hi,

    Does anybody have successfully enforce ejb security using jaas on websphere 5.1.1. I am able to authenticate and getting the Subject also but when i called WSSubject.doAs() method even thought it seems this is not working . i have defined roles properly at method level in the ejb deployment descriptor.

    Can anybody provide me the sample.

    Thanks and Regards,
    Mohit
  2. Added to an above comment

    we are developing a J2EE web application and want to provide for security using JAAS and a combination of programmatic and declarative security.

    Development Environment:
    Websphere 5.1.1

    We have developed a custom LoginModule User Id and password are taken from a jsp page and authenticated using passwords in a mssql server db.

    After authentication, a Subject object (javax.security.auth.Subject) containing appropriate principals is put into the user session.

    Declarative security (roles, role references, principal mappings, method permissions) are defined for EJBs in the deployment descriptors. A call to an EJB method is done by creating a PrivilegedAction wrapper, obtaining the subject from the session and executing the statement:
    Subject.doAs(subject, new PrivilegedAction() {
    public Object run() {
    myEjb.methodA();
    return null;
    }
    });

    The Problem:
    In the EJB method the PrincipalCollection returned by mySessionContext.getCallerPrincipal().getName() shows the caller to be ANONYMOUS OR UNAUTHENTICATED (I got this after commenting out the ejb method permissions and letting the method be accessed unchecked). The identity with which the call is made is not being propagated.

    I have been banging my head on the problem for around 2 weeks and still no breakthrough. Could you please provide some guidance or comments as to what might be the problem.

    Thanks
    Best Regards
    Mohit Gupta
  3. Mohit

    I have run into this same issue of non-propagation of the user identity when making a call to the EJB..

    I have enabled global security in WAS 5.1.1, used LTPA for authentication, SSO (all set via admin console)..Enabled trace to see that the subject is being correctly set at the web tier after authentication..but then the WSCredentialImpl is not being created..I am not sure if this is the issue..

    Appreciate if you can give any further insight if you have progressed on this issue..

    Regards
    Naresh
    nlalchandani@yahoo.com
  4. Hi
       May be this can help you , if not sorry ....

    I read this from WAS 5.X infocenter .


    To extend the function provided by the Java Authentication and Authorization Service (JAAS) APIs, you can set the RunAs subject (or invocation subject) with a different valid entry that is used for outbound requests on this execution thread.

    To extend the function provided by the Java Authentication and Authorization Service (JAAS) APIs, you can set the RunAs subject (or invocation subject) with a different valid entry that is used for outbound requests on an execution thread. This gives flexibility for associating the Subject with all remote calls on this thread without having to do a WSSubject.doAs() to associate the subject with the remote action. For example:

    try
    {
    javax.security.auth.Subject runas_subject, caller_subject;

    runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();
    caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();

    // set a new RunAs subject for the thread, overriding the one declaratively set
    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);

    // do some remote calls

    // restore back to the previous runAsSubject
    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject);
    }
    catch (WSSecurityException e)
    {
    // log error
    }
    catch (Exception e)
    {
    // log error
    }


    Note: You need the following Java 2 Security permissions to execute these APIs:

    permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject";
    permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject";
    permission javax.security.auth.AuthPermission "wssecurity.setRunAsSubject";
  5. Well i have the same unathenticated problem i been looking for the solution with bad results. Could you let me know how you extend the function provided by the Java Authentication and Authorization Service (JAAS) APIs. It seems that you are updating a file. Please let me know im really lost.
  6. I'm using WebSphere 5.1 and had problems in using a message driven bean(MDB) invoking an (ejb), which was under the access protection of security roles. It's known that MDB is does not receive the security context. It cant receive the security "Subject" values.

    As I'm using Webphere 5.1, throught the projetct Deployment Descriptors, its possible to configure the access to a bean by setting a security role under which the bean will be executed.

    In the ejb-jar.xml you add a code to say the security role under which a bean will be executed. Notice that your are setting a RUN AS mode. It can be done by the descriptor interface as well by setting the "Security Identity (Bean Level)" you can do it in the Method Level too. This is the code for bean level

    <message-driven id="yourMdbBean">
    <ejb-name>yourMdbBean</ejb-name>
    <ejb-class>yourClassToTheEJB</ejb-class>
    <transaction-type>Container or Application - dependes on your app</transaction-type> <message-driven-destination> <destination-type>yourDestination</destination-type>
    </message-driven-destination>
    <security-identity>
    <description></description>
    <run-as>
    <description></description>
    <role-name>YourSecurityRole</role-name>
    </run-as>
    </security-identity>
    </message-driven>

    Now you must set a valid user name for your app in the Application Deployment Descriptor - application.xml.
    using the grafical interface, in the "Security" tab you select the security role you informed in the "Security Role Run As Bindings" area you insert the user and its password
    You can also insert the following code in the ibm-application-bnd.xmi

    This is my code, the ID's are automatically generated by WebSphere

      <runAsMap xmi:id="RunAsMap_1128106926656">
        <runAsBindings xmi:id="RunAsBinding_1128106926656">
          <authData xmi:type="commonbnd:BasicAuthData" xmi:id="BasicAuthData_1128108430453" userId="vini" password="YOUR_ENCRIPTED_PASSWD"/>
          <securityRole href="META-INF/application.xml#SecurityRole_1121977249593"/>
        </runAsBindings>
        <runAsBindings xmi:id="RunAsBinding_1128108362375"/>
        <runAsBindings xmi:id="RunAsBinding_1128108430453"/>
      </runAsMap>

    Hope it helps
  7. Could any one please let me know what's wrong when I try to invoke an ejb I get this error:
    Authorization failed for /UNAUTHENTICATED while invoking resource {bean name}securityName:/UNAUTHENTICATED;accessId:null not granted any of the required roles roles :[role name]

    What am i missing here, i tried using Subject.doAs() as well as WSSubject.doAs(). It doesn't react too differently. My intention is to access a protected resource(in this case an EJB) after authenticating a user using a login module. Is it required that the principal be of type WSPrincipal?
  8. Yes very much ..both the principal and credential should be of websphere and it should be added into Subject otherwise jaas security will not work.

    -Mohit
  9. Mohit,

    i saw your earlier post where you requested for a completely implemented JAAS Login module for authentication with EJB authorization check. I have had hard luck with this too. Can you let me know if you have a sample of this? you can send me an email at subqst@yahoo.com