RE: [JBoss-dev] security exception in 2.4 final
Could anybody reproduce this error? I would very appreciate any help because I need to update my application to 2.4 final! With rel 23 I run sometimes (can't reproduce it after restart of jBoss) in this error: [Default] java.lang.IllegalStateException: No transaction. [Default] at org.jboss.tm.TransactionImpl.registerSynchronization(TransactionImpl.java:13 5) I got the hint, that this may be an error fixed in the final release. Andreas -Original Message- From: Schouten, Andreas [SMTP:[EMAIL PROTECTED]] Sent: 28 August 2001 11:58 To: [EMAIL PROTECTED] Subject: RE: [JBoss-dev] security exception in 2.4 final Hi Scott, the error is not in the DatabaseServerLoginModul. The username being passed to it is null (or null). The error only occurs if the container creates a new instance of the called stateless session bean. I stored a timestamp as menber variable in the SB and print it on every call. As long this instance is used no security exception occurs. You should be able to reproduce the problem if You include a sequence of jsp includes in a jsp. jsp:include page=test.jsp flush=true jsp:param name=name value=d1/ /jsp:include jsp:include page=test.jsp flush=true jsp:param name=name value=d2/ /jsp:include jsp:include page=test.jsp flush=true jsp:param name=name value=d3/ /jsp:include jsp:include page=test.jsp flush=true jsp:param name=name value=d4/ /jsp:include where test.jsp looks up a stateless session bean which respond data fromn an entity bean. The data is displayed correct once but the next includes cause the security exception. With jBoss rel 23 the includes are processed correct each with an own instance of the SB. Andreas -Original Message- From: Scott M Stark [SMTP:[EMAIL PROTECTED]] Sent: 24 August 2001 17:15 To: [EMAIL PROTECTED] Subject:Re: [JBoss-dev] security exception in 2.4 final That doesn't narrow the issue down as I can perform this type of access pattern without seeing a problem. What is the username/principal being passed to the DatabaseServerLoginModule for authentication when you see the failure? If you have a test ear that reproduces the problem I can look into the issue myself. - Original Message - From: Schouten, Andreas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 24, 2001 1:35 AM Subject: RE: [JBoss-dev] security exception in 2.4 final I reproduced the error today. back to 2.4.0.23 o.k - 2.4.0.26 faild - 2.4.0.23 o.k - 2.4.0 faild fist I copied my jboss.jcml from the 23 release but in the last test I merged my configuration into the jBoss.jcml from final release. I will descripe the steps leading to the error more, perhaps You can give my a hint how I can locate the problem. 1. Login with a customised login page. - succsessful 2. The fist page contains only data from tomcat (no remote calls) 3. The second page is genarated with several remote calls. Several stateles SB's and EB's are created. 4. The generation of the third (this is the second thread which calls beans) fails with the security exception. -Original Message- From: Scott M Stark [SMTP:[EMAIL PROTECTED]] Sent: 23 August 2001 21:04 To: [EMAIL PROTECTED] Subject: Re: [JBoss-dev] security exception in 2.4 final This is the binary I am using for the JBossStore site and I don't see this problem for restricted content. The example2 in the JAAS tutorial also uses the DatabaseServerLoginModule and creates a stateless session bean on each access and this does not show this problem. Is the username in the database when this starts to fail? ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
Re: [JBoss-dev] security exception in 2.4 final
I have verified the issue using the indicated type of jsp page. A fix has been committed to the 2.4 branch and will be in the next 2.4.x release. - Original Message - From: Schouten, Andreas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 28, 2001 2:57 AM Subject: RE: [JBoss-dev] security exception in 2.4 final Hi Scott, the error is not in the DatabaseServerLoginModul. The username being passed to it is null (or null). The error only occurs if the container creates a new instance of the called stateless session bean. I stored a timestamp as menber variable in the SB and print it on every call. As long this instance is used no security exception occurs. You should be able to reproduce the problem if You include a sequence of jsp includes in a jsp. jsp:include page=test.jsp flush=true jsp:param name=name value=d1/ /jsp:include jsp:include page=test.jsp flush=true jsp:param name=name value=d2/ /jsp:include jsp:include page=test.jsp flush=true jsp:param name=name value=d3/ /jsp:include jsp:include page=test.jsp flush=true jsp:param name=name value=d4/ /jsp:include where test.jsp looks up a stateless session bean which respond data fromn an entity bean. The data is displayed correct once but the next includes cause the security exception. With jBoss rel 23 the includes are processed correct each with an own instance of the SB. Andreas ___ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
RE: [JBoss-dev] security exception in 2.4 final
I reproduced the error today. back to 2.4.0.23 o.k - 2.4.0.26 faild - 2.4.0.23 o.k - 2.4.0 faild fist I copied my jboss.jcml from the 23 release but in the last test I merged my configuration into the jBoss.jcml from final release. I will descripe the steps leading to the error more, perhaps You can give my a hint how I can locate the problem. 1. Login with a customised login page. - succsessful 2. The fist page contains only data from tomcat (no remote calls) 3. The second page is genarated with several remote calls. Several stateles SB's and EB's are created. 4. The generation of the third (this is the second thread which calls beans) fails with the security exception. -Original Message- From: Scott M Stark [SMTP:[EMAIL PROTECTED]] Sent: 23 August 2001 21:04 To: [EMAIL PROTECTED] Subject: Re: [JBoss-dev] security exception in 2.4 final This is the binary I am using for the JBossStore site and I don't see this problem for restricted content. The example2 in the JAAS tutorial also uses the DatabaseServerLoginModule and creates a stateless session bean on each access and this does not show this problem. Is the username in the database when this starts to fail? - Original Message - From: Schouten, Andreas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Kracke, Guido [EMAIL PROTECTED] Sent: Thursday, August 23, 2001 12:58 AM Subject: [JBoss-dev] security exception in 2.4 final Hello, today I upgradet from 2.4.0.23 to 2.4.0 (file JBoss-2.4.0_Tomcat-3.2.3.zip). We use integated tomcat and jaas security. The first login is successful also calling a stateless session bean is successful. But when a second instance of this bean is created a security exception occur. The username seams to be lost. (The same ear works under 2.4.0.23) [Default] Found StatelessSessionHome // after lookup the home interface [Default] javax.security.auth.login.FailedLoginException: No matching username found in Principals [Default] at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(Dat ab aseServerLoginModule.java :96) [Default] at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePass wo rdLoginModule.java:103) [Default] at java.lang.reflect.Method.invoke(Native Method) [Default] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:595) [Default] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125) [Default] at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531) [Default] at java.security.AccessController.doPrivileged(Native Method) [Default] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528) [Default] at javax.security.auth.login.LoginContext.login(LoginContext.java:449) [Default] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityMa na ger.java:362) [Default] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityMa na ger.java:328) [Default] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager .j ava:215) [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(Securit yI nterceptor.java:164) [Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.j av a:92) [Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106) [Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContain er .java:268) [Default] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPCont ai nerInvoker.java:437) [Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invokeHome(HomeProxy.java: 23 7) [Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:182) [Default] at $Proxy31.create(Unknown Source) [Default] at eacm.jspData.EjbServer.getEACMSession(EjbServer.java:54) //this calls the stateless SB from jsp client Andreas If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development
Re: [JBoss-dev] security exception in 2.4 final
That doesn't narrow the issue down as I can perform this type of access pattern without seeing a problem. What is the username/principal being passed to the DatabaseServerLoginModule for authentication when you see the failure? If you have a test ear that reproduces the problem I can look into the issue myself. - Original Message - From: Schouten, Andreas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 24, 2001 1:35 AM Subject: RE: [JBoss-dev] security exception in 2.4 final I reproduced the error today. back to 2.4.0.23 o.k - 2.4.0.26 faild - 2.4.0.23 o.k - 2.4.0 faild fist I copied my jboss.jcml from the 23 release but in the last test I merged my configuration into the jBoss.jcml from final release. I will descripe the steps leading to the error more, perhaps You can give my a hint how I can locate the problem. 1. Login with a customised login page. - succsessful 2. The fist page contains only data from tomcat (no remote calls) 3. The second page is genarated with several remote calls. Several stateles SB's and EB's are created. 4. The generation of the third (this is the second thread which calls beans) fails with the security exception. -Original Message- From: Scott M Stark [SMTP:[EMAIL PROTECTED]] Sent: 23 August 2001 21:04 To: [EMAIL PROTECTED] Subject: Re: [JBoss-dev] security exception in 2.4 final This is the binary I am using for the JBossStore site and I don't see this problem for restricted content. The example2 in the JAAS tutorial also uses the DatabaseServerLoginModule and creates a stateless session bean on each access and this does not show this problem. Is the username in the database when this starts to fail? ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development
Re: [JBoss-dev] security exception in 2.4 final
Schouten, Andreas wrote: Hello, today I upgradet from 2.4.0.23 to 2.4.0 (file JBoss-2.4.0_Tomcat-3.2.3.zip). We use integated tomcat and jaas security. The first login is successful also calling a stateless session bean is successful. But when a second instance of this bean is created a security exception occur. The username seams to be lost. (The same ear works under 2.4.0.23) This sounds very similar to the problem I posted to the security forum yesterday. I get exactly the same exception, but in my case it isn't losing the username - it throws the exception before the login occurs and before the principal has been set. As soon as the user attempts to access a web URL which has a security contraint applied, the exception occurs and then the login goes ahead. Thereafter everything proceeds as normal - I can make as many requests as I want without any further problems ... Luke. [Default] Found StatelessSessionHome // after lookup the home interface [Default] javax.security.auth.login.FailedLoginException: No matching username found in Principals [Default] at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(Datab aseServerLoginModule.java :96) ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development
RE: [JBoss-dev] security exception in 2.4 final
Hi Luke, what You are describing is the nomal behavior. First tomcat get a request whitout login information on a secured page. It tries to authenticate a user with null name and pwd. After the authentication faild tomcat reject the request to the login screen. Maybe a further version of tomcat will fix the and reject requests without username direct to the login screen. jboss could only supress the stack trace in this case. Andreas P.S.: Do You use 2.4 final too? -Original Message- From: Luke Taylor [SMTP:[EMAIL PROTECTED]] Sent: 23 August 2001 11:10 To: [EMAIL PROTECTED] Subject: Re: [JBoss-dev] security exception in 2.4 final Schouten, Andreas wrote: Hello, today I upgradet from 2.4.0.23 to 2.4.0 (file JBoss-2.4.0_Tomcat-3.2.3.zip). We use integated tomcat and jaas security. The first login is successful also calling a stateless session bean is successful. But when a second instance of this bean is created a security exception occur. The username seams to be lost. (The same ear works under 2.4.0.23) This sounds very similar to the problem I posted to the security forum yesterday. I get exactly the same exception, but in my case it isn't losing the username - it throws the exception before the login occurs and before the principal has been set. As soon as the user attempts to access a web URL which has a security contraint applied, the exception occurs and then the login goes ahead. Thereafter everything proceeds as normal - I can make as many requests as I want without any further problems ... Luke. [Default] Found StatelessSessionHome // after lookup the home interface [Default] javax.security.auth.login.FailedLoginException: No matching username found in Principals [Default] at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(Dat ab aseServerLoginModule.java :96) ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development
Re: [JBoss-dev] security exception in 2.4 final
This is the binary I am using for the JBossStore site and I don't see this problem for restricted content. The example2 in the JAAS tutorial also uses the DatabaseServerLoginModule and creates a stateless session bean on each access and this does not show this problem. Is the username in the database when this starts to fail? - Original Message - From: Schouten, Andreas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Kracke, Guido [EMAIL PROTECTED] Sent: Thursday, August 23, 2001 12:58 AM Subject: [JBoss-dev] security exception in 2.4 final Hello, today I upgradet from 2.4.0.23 to 2.4.0 (file JBoss-2.4.0_Tomcat-3.2.3.zip). We use integated tomcat and jaas security. The first login is successful also calling a stateless session bean is successful. But when a second instance of this bean is created a security exception occur. The username seams to be lost. (The same ear works under 2.4.0.23) [Default] Found StatelessSessionHome // after lookup the home interface [Default] javax.security.auth.login.FailedLoginException: No matching username found in Principals [Default] at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(Datab aseServerLoginModule.java :96) [Default] at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswo rdLoginModule.java:103) [Default] at java.lang.reflect.Method.invoke(Native Method) [Default] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:595) [Default] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125) [Default] at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531) [Default] at java.security.AccessController.doPrivileged(Native Method) [Default] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528) [Default] at javax.security.auth.login.LoginContext.login(LoginContext.java:449) [Default] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityMana ger.java:362) [Default] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityMana ger.java:328) [Default] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.j ava:215) [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityI nterceptor.java:164) [Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.jav a:92) [Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106) [Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer .java:268) [Default] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContai nerInvoker.java:437) [Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invokeHome(HomeProxy.java:23 7) [Default] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:182) [Default] at $Proxy31.create(Unknown Source) [Default] at eacm.jspData.EjbServer.getEACMSession(EjbServer.java:54) //this calls the stateless SB from jsp client Andreas If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development ___ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development