Hi,
I have been struggling with JAAS based Authentication since a couple of days in
order to make it work with the following architecture
Standalone Tomcat : To be used to protected web resources using the JAASRealm
configured with the DatasourceLoginModule and ClientLoginModule
JBoss Application Server : The EJBs are secure and need to be executed only by
authorized users.
I have gone through almost all the relevant posting but am still having the
famous "principal=null" issue on the EJB layer. So I wrote a standalone client
which seems to be working seamlessly. I also tried the same setup using a
LoginAction which executes the login() method of the LoginContext object
explicitly, and this seems to be working fine too. I could use this approach,
but then I would have to verify each incoming request (on the web-container)
for authentication status.
As a basis for the tests I used the jaashow 3.2 examples after splitting it up
for the web and application layers.
The error that is thrown after executing the login on the web-layer (while
calling the echo() method on the public session is :
Tomcat Console output :
****************************************************
java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Insufficient method permissions,
principal=null, ejbName=PublicSession, method=echo
, interface=REMOTE, requiredRoles=[Echo], principalRoles=[] ..
****************************************************
However, the request.getUserPrincipal returns : GenericPrincipal[java(Echo,)]
and I am permitted to use the "restricted"
resources available only to users with the "Echo" role-name.
My configuration is as follows :
Tomcat Standalone server.xml
****************************************************
Realm className="org.apache.catalina.realm.JAASRealm"
appName="jaasClientRealm"
****************************************************
Tomcat Standalone startup.bat
****************************************************
-Djava.security.auth.login.config=%CATALINA_HOME%/conf/jaasLogin.config
****************************************************
The jaasLogin.conf (JaasClientRealm) section configured for the following :
DatasourceLoginModule (working with a hsqldb datasource)
ClientLoginModule(???????????)
DummyLoginModule (A simple module that served as a marker whether the
configuration was functioning .. simply throws out System.out.println() on
execution)
****************************************************
jaasClientRealm{
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:comp/env/jdbc/HsqldbDS"
principalsQuery="select PASSWORD from PRINCIPALS where PRINCIPALID=?"
rolesQuery="select ROLE, ROLEGROUP from ROLES where PRINCIPALID=?"
unauthenticatedIdentity=nobody
;
org.jboss.security.ClientLoginModule required multi-threaded="false"
restore-login-identity="false" password-stacking="useFirstPass"
;
de.msg.security.jaas.modules.DummyLoginModule required
;
};
****************************************************
As I mentioned earlier, the execution of the EJB methods functions flawlessly
from a standalone client or if I use a LoginAction to explicitly call the login
method.
I first thought it might have something to do with the multi-threaded parameter
of the ClientLoginModule but setting it to "true" didn't help either.
Enabling the logging for org.jboss.security on the server side throws the
following :
****************************************************
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: Anmeldemodul-Steuerflag: required
Options:
19:28:54,333 TRACE [UsersRolesLoginModule] initialize, [EMAIL PROTECTED]
19:28:54,343 TRACE [UsersRolesLoginModule] findResource: null
19:28:54,353 TRACE [UsersRolesLoginModule] Properties
file=jar:file:/D:/projekte/APKV/AppS/jboss-4.0.3SP1/server/jaas_ho
wto/tmp/deploy/tmp58598tutorial1.ear-contents/ssbean1.jar!/users.properties,
defaults=null
19:28:54,363 DEBUG [UsersRolesLoginModule] Loaded properties, users=[ngyamlani,
duke, java]
19:28:54,363 TRACE [UsersRolesLoginModule] findResource: null
19:28:54,373 TRACE [UsersRolesLoginModule] Properties
file=jar:file:/D:/projekte/APKV/AppS/jboss-4.0.3SP1/server/jaas_ho
wto/tmp/deploy/tmp58598tutorial1.ear-contents/ssbean1.jar!/roles.properties,
defaults=null
19:28:54,373 DEBUG [UsersRolesLoginModule] Loaded properties,
users=[n_gyamlani, n_gyamlani.CallerPrincipal, duke, java,
java.CallerPrincipal, duke.CallerPrincipal]
19:28:54,373 TRACE [UsersRolesLoginModule] login
19:28:54,373 TRACE [UsersRolesLoginModule] Authenticating as
unauthenticatedIdentity=null
19:28:54,373 DEBUG [UsersRolesLoginModule] Bad password for username=null
19:28:54,373 TRACE [UsersRolesLoginModule] abort
19:28:54,393 TRACE [example1] Login failure
javax.security.auth.login.FailedLoginException: Password Incorrect/Password
Required
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:189)
at
org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
at
org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:196)
at
org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:120)
at
org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:121)
at
org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
at
org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613)
at org.jboss.ejb.Container.invoke(Container.java:894)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
at
org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:805)
at
org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:406)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
at sun.rmi.transport.Transport$1.run(Transport.java:148)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
at
sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:534)
************************************************************
And the output when I use the standalone client to access the ejb with username
= java and password = echoman
************************************************************
19:35:43,711 TRACE [example1] roles=Roles(members:Echo)
19:35:43,711 TRACE [example1] hasRole(Echo)=true
19:35:43,711 TRACE [example1] hasRole=true
19:35:43,711 INFO [STDOUT] PublicSessionBean.echo,
isCallerInRole('EchoUser')=true
19:35:43,731 TRACE [SecurityAssociation] getPrincipal, principal=java
19:35:43,751 TRACE [SecurityAssociation] dupSubjectContext, [EMAIL PROTECTED]
621{principal=java,subject=31702966}
19:35:43,751 TRACE [SecurityAssociation] pushRunAsIdentity, runAs=null
19:35:43,751 DEBUG [StatefulSessionContainer] Created new session ID: ejpzk64n-4
19:35:43,751 DEBUG [StatefulSessionContainer] Using create method for session:
public void org.jboss.docs.jaas.howto.Pri
vateSessionBean.ejbCreate() throws javax.ejb.CreateException
19:35:43,751 INFO [STDOUT] PrivateSessionBean.ejbCreate() called
19:35:43,751 DEBUG [ProxyFactory] seting invoker proxy binding for stateful
session: stateful-rmi-invoker
19:35:43,751 TRACE [SecurityAssociation] popRunAsIdentity, runAs=null
19:35:43,751 TRACE [SecurityAssociation] popSubjectContext, [EMAIL PROTECTED]
621{principal=java,subject=31702966}
19:35:43,751 INFO [STDOUT] PublicSessionBean.echo, created PrivateSession
19:35:43,761 TRACE [SecurityAssociation] getPrincipal, principal=java
19:35:43,761 TRACE [SecurityAssociation] pushSubjectContext, subject=null,
sc=org.jboss.security.SecurityAssociation$Sub
[EMAIL PROTECTED],subject=null}
19:35:43,772 TRACE [SecurityAssociation] dupSubjectContext, [EMAIL PROTECTED]
fce{principal=java,subject=null}
19:35:43,772 TRACE [SecurityAssociation] pushRunAsIdentity, runAs=null
19:35:43,772 INFO [STDOUT] PrivateSessionBean.echo, arg=Hello Motto
19:35:43,772 TRACE [example1] getPrincipal, cache info: [EMAIL PROTECTED]
b[Subject(14227847)[EMAIL PROTECTED](java)[EMAIL PROTECTED](R
oles(members:Echo))[EMAIL
PROTECTED](CallerPrincipal(members:caller_java)),[EMAIL PROTECTED]
1630,expirationTime=1140030320077]
19:35:43,772 INFO [STDOUT] PrivateSessionBean.echo, callerPrincipal=caller_java
19:35:43,772 INFO [STDOUT] PrivateSessionBean.echo,
isCallerInRole('InternalUser')=true
19:35:43,772 TRACE [SecurityAssociation] popRunAsIdentity, runAs=null
19:35:43,772 TRACE [SecurityAssociation] popSubjectContext, [EMAIL PROTECTED]
fce{principal=java,subject=null}
19:35:43,772 TRACE [SecurityAssociation] popSubjectContext, [EMAIL PROTECTED]
fce{principal=java,subject=null}
19:35:43,772 TRACE [SecurityAssociation] popRunAsIdentity,
runAs=[roles=[InternalUser],principal=anonymous]
19:35:43,772 TRACE [SecurityAssociation] popSubjectContext, [EMAIL PROTECTED]
621{principal=java,subject=31702966}
19:37:03,716 DEBUG [LRUEnterpriseContextCachePolicy] Running RemoverTask
19:37:03,716 DEBUG [LRUEnterpriseContextCachePolicy] RemoverTask,
PassivatedCount=0
19:37:03,716 DEBUG [AbstractInstanceCache] removePassivated, now=1140028623716,
maxLifeAfterPassivation=1200000
19:37:03,716 DEBUG [LRUEnterpriseContextCachePolicy] RemoverTask, done
*****************************************************
Would really really appreciate any help or guidance concerning the above.
Thanks in advance
Nikhil
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3923999#3923999
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3923999
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
