Re: Security Realm Error

[Yeray Cabrera]

Hi, You was right, I had an error in my user mapping. (Thanks Aaron) But now ....     The user login is ok,  but when I execute HttpServletRequest.isUserInRole("IBMS") in my code, it return false. I debugged my code ...     HttpServletRequest -- userPrincipal is present with the correct name and subjects but roles is null. Any directions? Thanks, Yeray Cabrera Aaron Mulder escribió: I think that UnsupportedCallbackException is kind of expected. If I remember right, we call the login module once just to establish what callbacks it wants, and we call it a second time to do the actual login. So the fact that it gets called once and an exception is thrown should be OK, just don't do anything hasty. When it gets called the second time the login should work. Now, looking back at your web app plan, I see this: <security> <default-principal> <principal name="anonymous" class="com.ias.ibms.auth.IBMSRole" /> </default-principal> </security> That doesn't actually map any user to any J2EE roles. In other words, no logins are treated as members of the IBMS J2EE role, so even if the login to the web app is valid, the user probably gets an access denied error. To fix, that, you need to list the login module principals that should be members of the J2EE role named IBMS, like this: <security> <default-principal> <principal name="anonymous" class="com.ias.ibms.auth.IBMSRole" /> </default-principal> <role-mapping> <role role-name="IBMS"> <principal name="some-principal-name" class="com.ias.ibms.auth.IBMSRole" /> </role> </role-mapping> </role> </security> So the combination of the principal class (com...IBMSRole) and principal name (some-principal-name) should uniquely identify a principal returned by the login module. (e.g. some modules return both user principals and group principals and a particular login may get some of both, and there could be users and groups with the same name like 'administrator'). You can list more than one role in the role-mapping section and more than one principal in each role section if you want to do more extensive mapping (e.g. 2 users and 3 groups should all count as members of the "IBMS" role). For more details, you can look at: http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security Particularly example 11.5. Thanks, Aaron On 3/8/06, Yeray Cabrera <[EMAIL PROTECTED]> wrote: Hi, I'm still having trouble deploying the security realm. The realm itself is now deployed, but when trying to authenticate a user at the webapp I'm getting an UnsupportedCallbackException. Actually I'm tracing it and it calls the LoginModule's login() method twice. The first time it throws the exception but the second one it does pass back the username and password through the callbacks. The module and the webapp are working fine inside a stand-alone Tomcat. Any directions? Thanks, Yeray Cabrera Yeray Cabrera escribió: Thanks Vamsavardhana! It's running fine. But I had trying to deploy the security realm configuration plan by command line and it did not run. Now I deploy the security realm configuration plan by web console. Thanks Yeray Cabrera Vamsavardhana Reddy escribió: Hi Yeray, The dependency you have included in geronimo-web.xml needs to go into this security realm configuration plan. You do not need that dependency tag in geronimo-web.xml Uninstall the configuration "SecurityRealm-ibms" from application management portlets. Create a security realm plan xml separately. You can simply add the dependency tag to the security realm plan you have sent earlier and deploy this newly created plan. Vamsi On 3/7/06, Yeray Cabrera <[EMAIL PROTECTED]> wrote: This is the deployment plan: <configuration configId="SecurityRealm-ibms" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0"> <gbean name="ibms" class="org.apache.geronimo.security.realm.GenericSecurityRealm"> <attribute name="realmName">ibms</attribute> <reference name="ServerInfo"> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name> </reference> <reference name="LoginService"> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name> </reference> <xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0"> <log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false"> <log:login-domain-name>ibms</log:login-domain-name> <log:login-module-class>com.ias.ibms.auth.nullauth.NullAuthLogin</log:login-module-class> </log:login-module> </log:login-config> </xml-reference> </gbean> </configuration> Vamsavardhana Reddy escribió: Yeray, Can you copy paste the plan for the security realm. To see the plan, access the Security Realms portlet in Admin Console, Click on "edit" for the realm and click on "Show plan" button in the next page. -Vamsi On 3/7/06, Yeray Cabrera <[EMAIL PROTECTED]> wrote: Hi Vamsavardhana, I used the wizard in Geronimo console and I see it´s "running" in Security Realms menu I deployed with the following web.xml : <web-app> ..... <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/login.vm</form-login-page> <form-error-page>/error.vm</form-error-page> </form-login-config> </login-config> <security-role> <role-name>IBMS</role-name> </security-role> <security-constraint> <display-name>IBMS Security-Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>administration/*</url-pattern> <url-pattern>backoffice/*</url-pattern> <url-pattern>hotel/*</url-pattern> <url-pattern>maintenance/*</url-pattern> <url-pattern>management/*</url-pattern> <url-pattern>index/*</url-pattern> <url-pattern>*.do</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>IBMS</role-name> </auth-constraint> </security-constraint> </web-app> Thanks, Yeray Cabrera Vamsavardhana Reddy escribió: How is the Security Realm deployed? I don't see it is part of the web application. -Vamsi On 3/7/06, Yeray Cabrera <[EMAIL PROTECTED]> wrote: Hi, I´m trying to deploy a War in Geronimo with my own Security Realm. First, I add an entry in Common libraries (the jar containing my classes) Next, I add a security realm. And finally, I deploy my a web app with the following deployment plan: ---------------------------------------------------------------------------------------------------------- <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://geronimo.apache.org/xml/ns/web" xmlns:naming="http://geronimo.apache.org/xml/ns/naming" configId="ibms" parentId="geronimo/j2ee-server/1.0/car"> <dependency> <uri>ibms/ibmsauth/0.9.1/jar</uri> </dependency> <context-root>/ibms</context-root> <context-priority-classloader>true</context-priority-classloader> <security-realm-name>ibms</security-realm-name> <security> <default-principal> <principal name="anonymous" class="com.ias.ibms.auth.IBMSRole" /> </default-principal> </security> </web-app> ---------------------------------------------------------------------------------------------------------- The deploy is correct but when I try to access to my application , occurs the following exception: ---------------------------------------------------------------------------------------------------------- 10:40:09,241 WARN [TomcatGeronimoRealm] Login exception authenticating username "pancho" javax.security.auth.login.LoginException: org.apache.geronimo.common.GeronimoSecurityException: Unable to instantiate login module at org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.getLoginModule(JaasLoginModuleConfiguration.java:71) at org.apache.geronimo.security.jaas.server.JaasSecuritySession.<init>(JaasSecuritySession.java:64) at org.apache.geronimo.security.jaas.server.JaasLoginService.initializeClient(JaasLoginService.java:353) at org.apache.geronimo.security.jaas.server.JaasLoginService.connectToRealm(JaasLoginService.java:169) at org.apache.geronimo.security.jaas.server.JaasLoginService$$FastClassByCGLIB$$95b84fc9.invoke(<generated>) at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53) at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38) at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:118) at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:800) at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57) at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:36) at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96) at org.apache.geronimo.security.jaas.server.JaasLoginServiceMBean$$EnhancerByCGLIB$$901db4a3.connectToRealm(<generated>) at org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(JaasLoginCoordinator.java:95) ... Caused by: java.lang.ClassNotFoundException: com.ias.ibms.auth.nullauth.NullAuthLogin at java.net.URLClassLoader$1.run(URLClassLoader.java:200) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:188) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at org.apache.geronimo.kernel.config.MultiParentClassLoader.loadClass(MultiParentClassLoader.java:209) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.getLoginModule(JaasLoginModuleConfiguration.java:69) ... 44 more ---------------------------------------------------------------------------------------------------------- Have somebody an idea,why the class is not found? I see it in common libraries Thanks, Yeray Cabrera -- Yeray Cabrera Santana Integra Soluciones Avanzadas, S.L. Tlf: +34928465203 C/ Juan Domínguez Pérez 28, Urb El Sebadal Las Palmas de Gran Canaria (35008) SPAIN