Using Database login Module in JBoss

This post is a detailed description on how to use the database login module in JBoss with a J2EE Application.

Scenario

There is a EJB and we want to restrict the access to this ejb's method to an authenticated user having a particular role. The EJB is accessed from a standalone Java Client using Remote Lookup.

Implementation

The EJB is HelloSSB and the roles allowed are admin and user.
First step is to write the EJB
The source code is given below. This is a stateless session bean.

package com.prem.ejb;

import javax.annotation.PreDestroy;
import javax.annotation.Resource;
import javax.annotation.security.RolesAllowed;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;

import org.jboss.annotation.security.SecurityDomain;

@Stateless
@SecurityDomain ("helloworld")
public class HelloSSB  implements HellioIntf{
@PersistenceContext(unitName = "EntApp")
EntityManager em;
@Resource SessionContext ctx;
@RolesAllowed ({"admin","user"} )
public void hello() {
 System.out.println(ctx.getCallerPrincipal().getName());
 if(ctx.isCallerInRole("admin")) {
  System.out.println("hello admin");
  Book book=new Book();
  //book.setId("1");
  book.setName("J2EE blue Prints");
  em.persist(book);
 }else if(ctx.isCallerInRole("user")) {
  System.out.println("hello User");
 }else {
  System.out.println("UNAUTHORISED ");
 }
 }
 @PreDestroy public void close() {
  System.out.println(" in predestroy ");
 }
}

Here the annotation @SecurityDomain ("helloworld") indicates that this EJB is secured by the helloworld security domain.@RolesAllowed ({"admin","user"} ) indicates that the the method hello is accessible only to admin and user roles.
With this the EJB is ready. You can ignore the entity bean used in the EJB.
Edit the jboss.xml and provide a JNDI name for the EJB.

Example



<?xml version="1.0" encoding="UTF-8"?>
<jboss>
  <enterprise-beans>
    <session>
      <ejb-name>HelloSSB</ejb-name>
      <jndi-name>com.prem.Hello</jndi-name>
    </session>
  </enterprise-beans>
</jboss>

Now we need to configure the security domain in JBoss.
Edit the login-config.xml in the conf directory and add an entry like this.



<application-policy name="helloworld" >

<authentication>
<login-module flag="required" code="org.jboss.security.auth.spi.DatabaseServerLoginModule">
<module-option name="dsJndiName">java:/mysql</MODULE-OPTION>
<module-option name="principalsQuery">select passwd from users where userid=?</MODULE-OPTION>
<module-option name="rolesQuery">select role,'Roles' from user_roles where userid=?</MODULE-OPTION>
</LOGIN-MODULE>
</authentication>
</APPLICATION-POLICY>

This sets up a security domain in JBoss which will use the DataBaseServerLoginModule to authenticate and authorize any requests to the resource protected by this domain.
The above steps completes the server side setup.
Now we have to write the client and we want to propagate the client side login credentials to the server.For this jboss provides a ClientLoginModule. This login module does not do any authentication (client side ), it just passes the login information to the server.
Code for the client is given below

package com.prem.client;

import java.util.Iterator;
import java.util.Properties;
import javax.naming.*;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import java.security.Principal;
import com.prem.ejb.HellioIntf;

public class EJBClient {
 static String user="prem";
 static String password="prem";
 public static void main(String[] args) throws Exception {

  SecurityAssociationHandler handler = new SecurityAssociationHandler();
  Principal userPrincipal = new Principal() {
     public String getName()  {
      return user;
     }
   };
   handler.setSecurityInfo( userPrincipal, password);
   LoginContext loginContext = new LoginContext( "hello", ( CallbackHandler ) handler );
   loginContext.login();
  String jndiName="com.prem.Hello";
  final Properties p = new Properties();
         Context ic = new InitialContext();
  System.out.println("about to look up jndi name " + jndiName);
  Object obj = ic.lookup(jndiName);
  System.out.println("lookup returned " + obj.getClass());
  HellioIntf foo = (HellioIntf) obj;
  foo.hello();
 }
}

For this client to work it has to use the ClientLoginModule and its configured through the JAAS config file
Content of the JAAS config file is given below.

hello {org.jboss.security.ClientLoginModule required;};


Now add all jars in jboss client folder to the classpath.Also add jbosssx jar to the classpath.
This completes the entire process.
Do create the tables mentioned in the login-config.xml mentioned above before testing the program