7 Replies Latest reply on Jan 5, 2002 9:37 PM by luke_t

    UsernamePasswordLoginModule

    snorman

      I am running JBoss-2.4.1_Jetty-3.1.RC9-1.


      Right now my static pages, jsp's and servlets check a session attribute to see if a user has logged into my website (by looking up the username and password in a legacy system).

      I would like to move to using JAAS and a declarative security model. Based on what I have read it seems that it would be best to write a custom login module based on the UsernamePasswordLoginModule that would interface with my legacy system.

      In order to understand this better I am trying to modify example1 at
      http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html

      to use a UsernamePasswordLoginModule to authenticate a user. For the example I want to keep it simple - the password is always "password".

      The following is my module:


      import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
      import java.security.acl.Group;
      import org.jboss.security.SimplePrincipal;
      import org.jboss.security.SimpleGroup;
      import java.util.Map;
      import javax.security.auth.callback.CallbackHandler;
      import javax.security.auth.Subject;

      class MemberLoginModule extends UsernamePasswordLoginModule {

      public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
      super.initialize(subject, callbackHandler, sharedState, options);
      }

      public String getUsersPassword() {
      return "password";
      }

      public Group[] getRoleSets() {
      SimplePrincipal principal = new SimplePrincipal("java");
      SimpleGroup groups[] = new SimpleGroup[1];
      groups[0] = new SimpleGroup("Roles");
      groups[0].addMember(principal);
      return groups;
      }

      }

      I am stuck because I am not sure how to assign the role of "Echo" to the username "java".

      I then assume that I need to modify the auth.conf to read:

      example1 {
      CallerPrincipal mapping MemberLoginModule; unauthenticatedIdentity=nobody
      ;
      };

      Is that it?

      Thanks in advance for any direction that can be provided... I am new to JAAS...and a bit confused... :)

      Steve Norman

        • 1. Re: UsernamePasswordLoginModule


          > I am stuck because I am not sure how to assign the role of "Echo" to the username "java".

          Hi,

          You want to change your getRoleSets() implementation to something like:

          public Group[] getRoleSets()
          {
          SimpleGroup groups[] = new SimpleGroup[1];
          groups[0] = new SimpleGroup("Roles");
          groups[0].addMember(new SimplePrincipal("Echo"));
          return groups;
          }

          You then have a single group called "Roles" which contains one principal - the role "Echo". This is the standard pattern used by JBoss to store the rolenames.
          Remember that this is not actually specified by JAAS - this is just how JBoss uses JAAS.

          You then have every user with the password "password" and the role "Echo". Is this what you were after?

          Luke.

          • 2. Re: UsernamePasswordLoginModule
            snorman

            Thanks for your reply Luke!

            The info you provided has helped me understand how Jboss implements JAAS... I have made the changes but, I still am having a problem. I am getting the following message:

            [Jetty] Authenticating access, username: java
            [Jetty] User: java is NOT authenticated
            [Jetty] AUTH FAILURE: user java

            I do not think that Jboss is using my custom login module define in auth.conf. If I use a fictious class name in this file I get the same error.

            I put my login module in a jar file that I then put into my jboss classpath... should that work?

            Thanks for any help anyone can provide...

            Steve

            • 3. Re: UsernamePasswordLoginModule

              Hi,

              Have you specified a security domain for your application? You need to do this, otherwise your
              application will just end up using the "other" entry in auth.conf.

              You should do this in both your jboss.xml (if you have EJBs) and jboss-web.xml files. Each should contain the following:

              <security-domain>java:/jaas/other</security-domain>

              with "other" changed to the name of your configuration (e.g. "example1").

              If you get errors, can you post the exceptions which are output by the server. Check the server log, not just the console output.

              Luke.

              • 4. Re: UsernamePasswordLoginModule
                snorman

                Luke,
                Thanks for the info it helped...

                My security domain is "example1", because I was not looking at the server log I was not seeing the full error message. First, I was getting an error because I did not have a no argument constructor for my custom login module. I created an empty no argument constructor which removed that error but, now I am getting the following:

                [Service Control] Started 54 services
                [Default] JBoss 2.4.1 Started in 0m:10s
                [Jetty] +++ JBossUserRealm.getUser, username=java
                [Jetty] Authenticating access, username: java
                [example1] Login failure
                javax.security.auth.login.LoginException: unable to access LoginModule: null
                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:635)
                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
                at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
                at java.security.AccessController.doPrivileged(Native Method)
                at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
                at javax.security.auth.login.LoginContext.login(LoginContext.java:449)
                at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:361)
                at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:328)
                at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:215)
                at org.jboss.jetty.JBossUserRealm$User.authenticate(JBossUserRealm.java:58)
                at org.mortbay.http.handler.SecurityHandler.basicAuthenticated(SecurityHandler.java:378)
                at org.mortbay.http.handler.SecurityHandler.authenticatedInRole(SecurityHandler.java:296)
                at org.mortbay.http.handler.SecurityHandler.handle(SecurityHandler.java:263)
                at org.mortbay.http.HandlerContext.handle(HandlerContext.java:1027)
                at org.mortbay.http.HandlerContext.handle(HandlerContext.java:982)
                at org.mortbay.http.HttpServer.service(HttpServer.java:674)
                at org.mortbay.http.HttpConnection.service(HttpConnection.java:732)
                at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:889)
                at org.mortbay.http.HttpConnection.handle(HttpConnection.java:746)
                at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:146)
                at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:287)
                at org.mortbay.util.ThreadPool$PoolThreadRunnable.run(ThreadPool.java:613)
                at java.lang.Thread.run(Thread.java:484)
                [Jetty] User: java is NOT authenticated

                Thanks for the help!

                • 5. Re: UsernamePasswordLoginModule

                  What does your auth.conf file look like now?

                  Have you tried the same app with JBoss/Tomcat, and a newer JBoss/Jetty bundle to see if it works with either of them?

                  Luke.

                  • 6. Re: UsernamePasswordLoginModule
                    snorman

                    I've upgraded and tried with both

                    Jboss 2.4.4-Jetty-3.1.3-1 and
                    Jboss 2.4.4-Tomcat-4.0.1

                    and I am still getting the same error.

                    The following is my auth.conf

                    // The JBoss server side JAAS login config file for the examples

                    example1 {
                    MemberLoginModule required
                    unauthenticatedIdentity=nobody
                    debug="true"
                    ;
                    };

                    Also, here is some more messages from the server log in case it helps:

                    09:05:10,971,Default] lookup securityDomain manager name: java:/jaas/example1
                    [09:05:11,051,JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@4391c3
                    [09:05:11,061,JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@758500
                    [09:05:11,061,example1] CachePolicy set to: org.jboss.util.TimedCachePolicy@758500
                    [09:05:11,061,JaasSecurityManagerService] Added example1, org.jboss.security.plugins.SecurityDomainContext@6ed322 to map

                    [09:05:11,192,Default] lookup securityDomain manager name: java:/jaas/example1

                    [09:05:11,282,StatelessSessionContainer] Binding securityDomain: java:/jaas/example1 to JDNI ENC as: security/security-domain


                    [09:05:11,342,StatefulSessionContainer] Binding securityDomain: java:/jaas/example1 to JDNI ENC as: security/security-domain

                    [09:05:12,283,EmbeddedCatalinaServiceSX] Linking security/securityMgr to JNDI name: java:/jaas/example1

                    [09:05:12,944,EmbeddedCatalinaServiceSX] Binding security/securityMgr to NullSecurityManager

                    [09:05:13,064,Default] JBoss-2.4.4 Started in 0m:6s.609
                    [09:05:22,578,example1] Login failure
                    javax.security.auth.login.LoginException: unable to access LoginModule: null
                    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:635)
                    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:125)
                    at javax.security.auth.login.LoginContext$3.run(LoginContext.java:531)
                    at java.security.AccessController.doPrivileged(Native Method)
                    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:528)
                    at javax.security.auth.login.LoginContext.login(LoginContext.java:449)
                    at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:394)
                    at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:361)
                    at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:217)
                    at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:253)
                    at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
                    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
                    at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                    at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
                    at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                    at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
                    at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
                    at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
                    at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
                    at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
                    at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
                    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                    at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
                    at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
                    at java.lang.Thread.run(Thread.java:484)


                    THANKS!

                    • 7. Re: UsernamePasswordLoginModule

                      Hmmm. I dunno. Where are you putting your login module class? Even if that's not found, I wouldn't expect an error like the one you're seeing.

                      I've mainly used the tomcat 3.2 bundles so perhaps you could try it with that. Otherwise could you send me a copy of the example you have that reproduces the problem?

                      Luke.