« Hide

While attempting to secure destinations in JBoss 4.2.2 as described in the BlazeDS Developers Guide, I was not able to get authorization to work. I kept getting a Client.Authorization fault whenever I tried to access a protected destination even thought the JBoss security and BlazeDS configuration files included the same user role. The Developers Guide says to "Use the TomcatLoginCommand class for Tomcat or JBoss". While this is true, the "server" key must be set correctly or it will not work. For example, the following WILL NOT WORK with JBoss 4.2.2 like it is implied in the documentation and some folks on the forum believe.

<login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat" />

Instead, you must us the following to secured destinations on JBoss:

<login-command class="flex.messaging.security.TomcatLoginCommand" server="all" />
 - or -
<login-command class="flex.messaging.security.TomcatLoginCommand" server="JBoss" />

Steps to reproduce:

1. Specify a login command as <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat" />
2. Secure a destination using a security constraint that includes a role
3. Use a simple JBoss security realm that implements a UsersRolesLoginModule then added the user and roles to the appropriate properties file
4. Attempt to call a method to the secured destination and you will get a Client.Authorization fault
 
 Actual Results:
 
When the endpoint attempts to authorize the user, the loginCommand in the MessageBroker is null. A null pointer exception is thrown when the code attempts to call the authorization method. This null pointer exception is wrapped in a Client.Authorization exception that is returned to the client. The cause of the problem is the null pointer, not an authorization problem like I was led to believe. You can see exactly what happens by using a debugger to trace through the code.

 Expected Results:
 
* Blaze should warn the user through an exception or log entry that no login commands were found while configuring the MessageBroker servlet and that they should ensure the server key is correct for their web server.
* Documentation should include instructions to use the first part of the web server name or "all". Use "JBoss" or "all" for JBoss servers (this is what my JBoss version yeilds: JBossWeb/2.0.1.GA) since the actual BlazeDS code looks for a "startsWith" to match the server key with the actual web server name.

Workaround (if any):

Always use a server key of "all" if in doubt.
i.e. <login-command class="whatever class name" server="all" />

I will submit a patch for this if you want me to.

Show »

While attempting to secure destinations in JBoss 4.2.2 as described in the BlazeDS Developers Guide, I was not able to get authorization to work. I kept getting a Client.Authorization fault whenever I tried to access a protected destination even thought the JBoss security and BlazeDS configuration files included the same user role. The Developers Guide says to "Use the TomcatLoginCommand class for Tomcat or JBoss". While this is true, the "server" key must be set correctly or it will not work. For example, the following WILL NOT WORK with JBoss 4.2.2 like it is implied in the documentation and some folks on the forum believe. <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat" /> Instead, you must us the following to secured destinations on JBoss: <login-command class="flex.messaging.security.TomcatLoginCommand" server="all" />  - or - <login-command class="flex.messaging.security.TomcatLoginCommand" server="JBoss" /> Steps to reproduce: 1. Specify a login command as <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat" /> 2. Secure a destination using a security constraint that includes a role 3. Use a simple JBoss security realm that implements a UsersRolesLoginModule then added the user and roles to the appropriate properties file 4. Attempt to call a method to the secured destination and you will get a Client.Authorization fault    Actual Results:   When the endpoint attempts to authorize the user, the loginCommand in the MessageBroker is null. A null pointer exception is thrown when the code attempts to call the authorization method. This null pointer exception is wrapped in a Client.Authorization exception that is returned to the client. The cause of the problem is the null pointer, not an authorization problem like I was led to believe. You can see exactly what happens by using a debugger to trace through the code.  Expected Results:   * Blaze should warn the user through an exception or log entry that no login commands were found while configuring the MessageBroker servlet and that they should ensure the server key is correct for their web server. * Documentation should include instructions to use the first part of the web server name or "all". Use "JBoss" or "all" for JBoss servers (this is what my JBoss version yeilds: JBossWeb/2.0.1.GA) since the actual BlazeDS code looks for a "startsWith" to match the server key with the actual web server name. Workaround (if any): Always use a server key of "all" if in doubt. i.e. <login-command class="whatever class name" server="all" /> I will submit a patch for this if you want me to.