JAAS Principals problem
Posted: Tue Dec 13, 2005 7:17 pm
Hello,
I'm working on a forum application in Java. We have a server saving all users, topics, messages etc. We use java.rmi for the clients to post messages etc.
Before being able to post anything, users have to login. We use the JAAS technology for the authentication and authorization. A client logs in on the server and gets a Subject object in return. This object contains some Principals. If I understand correctly, the client will be able to execute stuff on the server according to which Principals the Subject contains.
At the client side there's an interface (which extends java.rmi.Remote) with this method:
At the server side an identical interface exists plus a class implementing the interface (and extending java.rmi.server.UnicastRemoteObject):
The server side has only knowledge of the interface IUserCallbackHandler (which extends javax.security.auth.callback.CallbackHandler) while the client side also has a class implementing this interface.
There's a config file (on server side) with these lines:
CaptchaAuthenticationModule is a class on the server side. It implements LoginModule and thus has the following method:
in which these lines of code are executed:
$subject is a javax.security.auth.Subject. AnonymousUserPrincipal implements java.security.Principal.
I think you have enough information now to understand my problem.
If we run our application and try to login, we get this:
This is because the client side has no knowledge of a AnonymousUserPrincipal. If we add the classes implementing java.security.Principal there is no problem. But I think that's not the right solution. The client must not have the Principal classes. Isn't it?
Any ideas?
Thanks!
I'm working on a forum application in Java. We have a server saving all users, topics, messages etc. We use java.rmi for the clients to post messages etc.
Before being able to post anything, users have to login. We use the JAAS technology for the authentication and authorization. A client logs in on the server and gets a Subject object in return. This object contains some Principals. If I understand correctly, the client will be able to execute stuff on the server according to which Principals the Subject contains.
At the client side there's an interface (which extends java.rmi.Remote) with this method:
Code: Select all
public Subject anonymousLogIn(IUserCallbackHandler callbackHandler) throws RemoteException;Code: Select all
public Subject anonymousLogIn(IUserCallbackHandler callbackHandler) throws RemoteException {
LoginContext loginContext = null;
try {
loginContext = new LoginContext("AnonymousLogin", callbackHandler);
loginContext.login();
} catch (LoginException le) {
le.printStackTrace();
return null;
}
return loginContext.getSubject();
}There's a config file (on server side) with these lines:
Code: Select all
AnonymousLogin {
authmodule.CaptchaAuthenticationModule required;
};Code: Select all
public boolean commit() throws LoginExceptionCode: Select all
Principal anonymousUserPrincipal = new AnonymousUserPrincipal("");
$subject.getPrincipals().add(anonymousUserPrincipal);I think you have enough information now to understand my problem.
If we run our application and try to login, we get this:
Code: Select all
java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
java.lang.ClassNotFoundException: principals.AnonymousUserPrincipal (no security manager: RMI class loader disabled)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(Unknown Source)
at java.rmi.server.RemoteObjectInvocationHandler.invoke(Unknown Source)
at $Proxy0.anonymousLogIn(Unknown Source)
at presentation.sysout.StartBaseAction.runAnonymousLogin(StartBaseAction.java:129)
at presentation.sysout.StartBaseAction.run(StartBaseAction.java:43)
at presentation.sysout.TextMain.start(TextMain.java:24)
at domain.core.Client.main(Client.java:17)
Caused by: java.lang.ClassNotFoundException: principals.AnonymousUserPrincipal (no security manager: RMI class loader disabled)
at sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
at sun.rmi.server.LoaderHandler.loadClass(Unknown Source)
at java.rmi.server.RMIClassLoader$2.loadClass(Unknown Source)
at java.rmi.ser.......Any ideas?
Thanks!