JAAS/ClassLoader questions

[Roby Gamboa]

Hi, folks:

I'm trying to work out a variation of what appears to be a problem
previously encountered via JNDI/JMS and Tomcat. My specific
configuration has a little bit of a different slant, though. I'm
attempting to follow this route:

JSP-JAAS-EJB-database

Previously, I was able to use a JSP to retrieve data through an entity
EJB and it worked fine. When I started working with authentication via
JAAS, I bundled a .jar file with my security classes, including the
LoginModule-derived class that would be used to authenticate a user, and
included it in my webapp/WEB-INF/lib directory.

When I attempt to authenticate via the JSP, however, I get the following
exception:

Error: 500

Location: /scheduler/Login.jsp

Internal Servlet Error:

javax.servlet.ServletException: unable to find LoginModule class:
org.sofbex.security.login.SchedulerModule
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:457)

at Login_1._jspService(Login_1.java:110)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.tomcat.facade.ServletHandler.doService(ServletHandler.java:500)

at org.apache.tomcat.core.Handler.service(Handler.java:226)
at
org.apache.tomcat.facade.ServletHandler.service(ServletHandler.java:448)

at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:777)

at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:699)
at
org.apache.tomcat.modules.server.Http10Interceptor.processConnection(Http10Interceptor.java:142)

at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:426)

at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:497)

at java.lang.Thread.run(Thread.java:484)
Root cause:
javax.security.auth.login.LoginException: unable to find LoginModule
class: org.sofbex.security.login.SchedulerModule
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:649)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:124)

at
javax.security.auth.login.LoginContext$3.run(LoginContext.java:530)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:527)

at
javax.security.auth.login.LoginContext.login(LoginContext.java:448)
at Login_1._jspService(Login_1.java:81)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.tomcat.facade.ServletHandler.doService(ServletHandler.java:500)

at org.apache.tomcat.core.Handler.service(Handler.java:226)
at
org.apache.tomcat.facade.ServletHandler.service(ServletHandler.java:448)

at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:777)

at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:699)
at
org.apache.tomcat.modules.server.Http10Interceptor.processConnection(Http10Interceptor.java:142)

at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:426)

at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:497)

at java.lang.Thread.run(Thread.java:484)

As I said, the org.sofbex.security.login.SchedulerModule class is
included in security.jar, which is in the webapp/WEB-INF/lib directory.
The jaas.jar and jaas_lm.jar files (supplied by the IBM JAAS for Linux
implementation) are also included in the lib directory.

I had written a main() method into the SchedulerModule class to test its
operation, and it worked fine, so I don't think it's a security issue. I
checked the supplied tomcat.policy file and added full security
permissions for the webapp directory and below, to no avail.

Was there a resolution found for this problem?

Thanks for your help.

Roby Gamboa



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Re: JAAS/ClassLoader questions

[Roby Gamboa]

It doesn't look like this approach will work. JAAS=Java Authentication and
Authorization Service, a Sun Java extension
(http://java.sun.com/products/jaas).

For authentication, you construct a module for handling authentication services
for your application, and it has to implement
javax.security.auth.spi.LoginModule from jaas.jar. In my case, this was the
class that wasn't found in the original exception trace that I posted.

In addition, you have to add entries for 'providers' to the java.security file,
like so:

login.configuration.provider=com.ibm.security.auth.login.ConfigFile

login.config.url.1=file:/opt/Projects/Scheduler/webapp/WEB-INF/lib/scheduler.conf

auth.policy.provider=com.ibm.security.auth.PolicyFile

auth.policy.url.1=file:/opt/Projects/Scheduler/webapp/WEB-INF/lib/scheduler.policy

In this case, IBM has supplied the JAAS implementation for Linux (Sun only has
Windows and Solaris implementations available). The problem is that neither of
the classes mentioned implement java.security.Provider, so they can't be added
via Security.addProvider().

You then construct the configuration and policy files referenced. In the
configuration file indicated above, I've got the following entry:

Scheduler {
org.sofbex.security.login.SchedulerModule Required repository=schedule;

};

The format is:

[Application] {
[Login Module] [Constraint] [Options];
...
};

In my case, I'm only using one type of login module for authentication
purposes, SchedulerModule.

Although these classes provide the mechanism for getting at the security
configuration and policy, the class that manages access to the JAAS portion of
the security framework is javax.security.auth.login.LoginContext. You create a
new instance of this class, using your application's name as entered in the
.conf file indicated above ('Scheduler', in my case). When I attempt to
instantiate the LoginContext object, I get the exception that I referenced in
my original message.

Are there alternate mechanisms for loading providers?

- Roby

David Wall wrote:

  I'm trying to work out a variation of what appears to be a problem
  previously encountered via JNDI/JMS and Tomcat. My specific
  configuration has a little bit of a different slant, though. I'm
  attempting to follow this route:
 
  JSP-JAAS-EJB-database

 I figured out a work-around for JNDI/JMS.  Actually, in my case it was just
 for JNDI, though I was only using JNDI to use JMS!  I have not used JAAS
 before.  Is it an extension?  How is the extension loaded?  You'll want to
 make sure that the extension is loaded your code, and not by anything that
 would be found in the standard CLASSPATH (as used by Tomcat), and it cannot
 be done by including configuration information in a properties file or the
 like.

 For example, to use JCE, I had used the method of installing the provider by
 putting an entry in the jre/lib/security/java.security file, and this had
 the unfortunate side effect of causing those classes to be loaded by the
 system class loaders rather than the JSP classloader that's going to look in
 WEB-INF/lib for you.  By loading the provider in my code instead
 (Security.addProvider()) I was able to solve it.  Hope this helps...

 David

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, email: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]