8 Replies Latest reply on May 8, 2002 11:08 AM by ansonyumo

Problem with Roles in Jetty

ansonyumo Mar 28, 2002 1:05 PM

Hi,

I am having a problem with Roles and the JBoss 2.4.3 / Jetty 3.1.3 distribution.

We use a custom login module that extends DatabaseServerLoginModule and overrides validatePassword. This works correctly, we see a log message that indicates the user has successfully authenticated via form-based authentication.

However, when JaasSecurityManager.doesUserHaveRole is invoked, it returns false even though the user is a member of the requested role. I have verified this by overriding getRoleSets in our custom LoginModule and sending the roles for the user to the log.

The log follows this message. Here are the highlights:

1) The message "User 'vern1' authenticated" indicates that the user successfully logged in.
2) The message "getRoleSets = 1" is output from the overridden getRoleSets, and indicates the length of the returned array.
3) The message "group = Roles" indicates that the name of the returned Group is "Roles"
4) The message "role = Students org.jboss.security.SimplePrincipal" indicates that the Roles group contains one Principal named Students.

All of this is just verifying that DatabaseServerLoginModule.getRoleSets is behaving correctly.

However, the following log message indicates that the user does not have the Role "Students", which is contrary to the above debug output.

I have delved into the JBoss code a bit to try to determine what is going on here. In org.jboss.security.plugins.JaasSecurityManager.doesUserHaveRole, I output a log message to indicate the result of the call to getActiveSubject(). Surprisingly, this is always returning null, even though the user is logged in. doesUserHaveRole then returns false, which would explain the described failure to recognize a user's role.

To make all of this worse, our application works fine using Tomcat / JBoss. I suspect that something is wrong with our jboss-web.xml, web.xml or auth.conf. I had to add a realm-name to login-config of web.xml in order to get Jetty to authenticate a user, is there some other configuration that Jetty requires but Tomcat ignores?

Or, any other ideas?

Thanks.

Brian Smith

Here is the relevant log output:

[Default SocketListener-4] 2002-03-28 11:40:54,930 User 'vern1' authenticated.
[Default SocketListener-4] 2002-03-28 11:40:55,145 *** getRoleSets = 1
[Default SocketListener-4] 2002-03-28 11:40:55,146 *** group = Roles
[Default SocketListener-4] 2002-03-28 11:40:55,147 *** role = Students org.jboss.security.SimplePrincipal
[Jetty SocketListener-4] 2002-03-28 11:40:55,206 Security- User: vern1 is authenticated
[Jetty SocketListener-0] 2002-03-28 11:40:55,227 Security- User: vern1
[Jetty SocketListener-0] 2002-03-28 11:40:55,228 Security- User: vern1 is NOT in Role: Students
[Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Teachers
[Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Admins
[Jetty SocketListener-0] 2002-03-28 11:40:55,230 WARNING: AUTH FAILURE: role for vern1

[Default SocketListener-4] 2002-03-28 11:40:54,930 User 'vern1' authenticated.
[ilsDB SocketListener-4] 2002-03-28 11:40:54,933 No transaction right now.
[ilsDB SocketListener-4] 2002-03-28 11:40:54,934 Pool ilsDB [1/1/100] gave out pooled object: org.jboss.pool.jdbc.xa.wrapper.XAConnectionImpl@59fb21
[ilsDB SocketListener-4] 2002-03-28 11:40:55,144 Pool ilsDB [0/1/100] returned object org.jboss.pool.jdbc.xa.wrapper.XAConnectionImpl@59fb21 to the pool.
[Default SocketListener-4] 2002-03-28 11:40:55,145 *** getRoleSets = 1
[Default SocketListener-4] 2002-03-28 11:40:55,146 *** group = Roles
[Default SocketListener-4] 2002-03-28 11:40:55,147 *** role = Students org.jboss.security.SimplePrincipal
[Jetty SocketListener-4] 2002-03-28 11:40:55,206 Security- User: vern1 is authenticated
[Jetty SocketListener-0] 2002-03-28 11:40:55,227 Security- User: vern1
[Jetty SocketListener-0] 2002-03-28 11:40:55,228 Security- User: vern1 is NOT in Role: Students
[Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Teachers
[Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Admins
[Jetty SocketListener-0] 2002-03-28 11:40:55,230 WARNING: AUTH FAILURE: role for vern1

1. Re: Problem with Roles in Jetty

ansonyumo Mar 28, 2002 1:16 PM (in response to ansonyumo)

Whoops, sorry about the double pasting of the log.

In further analyses, it looks like Jetty is checking roles on a different thread from the authentication. SocketListener-4 does the auth, and SocketListener-0 is checking the role. As getActiveSubject() depends on thread-local storage, that would explain why it can't find the current user.

Which begs the question: "Why is it doing this?"
Actions
2. Re: Problem with Roles in Jetty FORM-based authentication

ansonyumo Mar 28, 2002 6:31 PM (in response to ansonyumo)

OK, here's some more info on the problem.

I have created a small 'hello, world' test application that reproduces the problem I was having with our system.

This test app works when using BASIC authentication, but fails when using FORM authentication.

When using BASIC authentication, the user is able to successfully login and his Role membership is recognized. When I change web.xml to use FORM authentication, the user can authenticate but system does not recognize his Role.

Here is the log for BASIC auth:

[INFO,JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@56b93a
[INFO,JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@798d58
[INFO,JaasSecurityManagerService] Added hello, org.jboss.security.plugins.SecurityDomainContext@2ea710 to map
[INFO,JettyService] Security- User: bsmith
[INFO,JettyService] Security- created JBossUserRealm::User: bsmith
[INFO,JettyService] Security- User: bsmith is authenticated
[INFO,JettyService] Security- User: bsmith is in Role: Foo

Here is the log for FORM auth:

[INFO,JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@1c6163
[INFO,JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@34cfb
[INFO,JaasSecurityManagerService] Added hello, org.jboss.security.plugins.SecurityDomainContext@330fb9 to map
[INFO,JettyService] Security- User: bsmith
[INFO,JettyService] Security- created JBossUserRealm::User: bsmith
[INFO,JettyService] Security- User: bsmith is authenticated
[INFO,JettyService] Security- User: bsmith
[WARN,JettyService] Security- User: bsmith is NOT in Role: Foo
[WARN,JettyService] Security- User: bsmith is NOT in Role: Bar
[WARN,JettyService] Security- User: bsmith is NOT in Role: Baz
[WARN,JettyService] WARNING: AUTH FAILURE: role for bsmith

So, without being overly presumptuous, it looks like form-based authentication is broken in JBoss 2.4.4 / Jetty 3.1.3?? In reviewing the change log for Jetty, there appears to have been some work checked in for resolving form-based authentication problems. Especially interesting is the comment for 3.1.3:
+ Improved FORM auth handling of role failure.

Anybody out there that knows how to fix this problem?

-brian

PS: Config and DDs

Here is my auth.conf:

hello {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/ilsDB"
principalsQuery="select password from hello_user where username=?"
rolesQuery="select grpname, 'Roles' from hello_user where username=?"
;
};

Here is my web.xml:

<?xml version="1.0"?>
<web-app>

<display-name>Hello World</display-name>



<servlet-name>HelloServlet</servlet-name>
<servlet-class>com.ignite.hello.HelloServlet</servlet-class>



<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/servlet/hello</url-pattern>
</servlet-mapping>


<session-config>
<session-timeout>30</session-timeout>
</session-config>


<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>



<security-constraint>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
Declarative security tests
<url-pattern>/servlet/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Foo</role-name>
<role-name>Bar</role-name>
<role-name>Baz</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<realm-name>Gondor</realm-name>

<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>

</login-config>



<security-role>
<role-name>Foor</role-name>
</security-role>

<security-role>
<role-name>Bar</role-name>
</security-role>

<security-role>
<role-name>Baz</role-name>
</security-role>

</web-app>

jboss-web.xml:

<?xml version="1.0"?>
<jboss-web>
<security-domain>java:/jaas/hello</security-domain>
</jboss-web>
Actions
3. Re: Problem with Roles in Jetty FORM-based authentication

jules_gosnell Apr 2, 2002 11:11 AM (in response to ansonyumo)

Firstly - There is a new JBoss/Jetty release on SourceForge:
http://prdownloads.sourceforge.net/jboss/JBoss-2.4.4_Jetty-3.1.7-1.zip

Secondly, you could try this on JBoss3.0 :

http://sourceforge.net/cvs/?group_id=22866

If it works in 3.0 I will backport it for you.

If it doesn't, we will fix it and backport it.

How does that sound ?

Jules
Actions
4. Re: Problem with Roles in Jetty FORM-based authentication

oxcart Apr 24, 2002 10:04 AM (in response to ansonyumo)

Hi,

Has this problem been solved yet? I'm having trouble with it aswell. I've tried the JBoss/Jetty release you mentioned but to no avail. It does seem to work with JBoss 3.0.
Actions
5. Re: Problem with Roles in Jetty FORM-based authentication

ansonyumo Apr 24, 2002 11:18 AM (in response to ansonyumo)

Thanks, Jules. This project was pushed aside, I hope to begin working on it again soon.

I see from oxcart's post that it does work in 3.0. Once I hear of a backport to 2.x, I'll reopen the porting effort.

Thanks.

-brian
Actions
6. Re: Problem with Roles in Jetty FORM-based authentication

ansonyumo May 6, 2002 2:03 PM (in response to ansonyumo)

Is there any update on getting a JBoss 2.4.x / Jetty build that properly handles form validation? We're going to be looking at this over the next few weeks.

Thanks!

-brian
Actions
7. Re: Problem with Roles in Jetty FORM-based authentication

drcharris May 8, 2002 11:07 AM (in response to ansonyumo)

I've run into this problem too - exactly the same.

We use JBoss2.4.4 with Jetty 3.1.7 and it has the threading problem you mentioned. This problem also made its way onto the jetty-discuss yahoo group but didn't seem to be resolved.

A workaround for the short-term is to use basic auth instead of form, but this is ugly. JBoss 2.4.5 (out any day now) comes with Jetty 4.0 which should be better (I haven't tested) but is a servlet 2.3 engine and may give you other problems w.r.t. the servlet spec.

So I don't think there's a solution yet.
Actions
8. Re: Problem with Roles in Jetty FORM-based authentication

ansonyumo May 8, 2002 11:08 AM (in response to ansonyumo)

That's not much of a workaround when form-based authentication is a product requirement.

:)
Actions

Go to original post