9 Replies Latest reply on Oct 23, 2002 9:53 PM by superchipchipchip

    principalRoles=null

    wouter

      I use JBoss-2.4.4 - Tomcat-4.0.1 and configured security using DatabaseServerLoginModule as described below.
      Everything works all right, except the users role is not retrieved from the database.

      When I try to access a protected web page (using form login), username and password are correctly checked against
      database values. When I enter wrong user or password I get the errorpage, when I enter correct user and password user is authenticated but access is always denied because role not known. Access is granted when security role is set to * in web.xml.

      Same problem when accessing an EJB from a test client, see error below. Apparently user is authenticated but his role is not set.

      What am I missing or what is my mistake ? I found other threads on this but their problem seemed to be in the 'Roles' for role_group. I suppose I have this right ?

      Sorry for the huge msg, I just want to give all elements.

      Thanks,
      Wouter



      Database contents :
      -------------------
      mysql> use bcc17util;
      Database changed
      mysql> select * from users;
      +----------------------+-------------+----------+
      | user | password | language |
      +----------------------+-------------+----------+
      | user_admin | change_this | E |
      | user_statementholder | change_this | E |
      +----------------------+-------------+----------+
      2 rows in set (0.00 sec)

      mysql> select * from user_roles;
      +----------------------+-----------------+------------+
      | user | role | role_group |
      +----------------------+-----------------+------------+
      | user_admin | admin | Roles |
      | user_statementholder | statementholder | Roles |
      +----------------------+-----------------+------------+
      2 rows in set (0.00 sec)


      Mapping of the utilityDS in jboss.jcml :
      ----------------------------------------

      org.jboss.pool.jdbc.xa.wrapper.XADataSourceImpl
      utilityDS
      jdbc:mysql://localhost:3306/bcc17util
      jboss
      [password here]



      DatabaseServerLoginModule in auth.conf :
      ----------------------------------------
      bcc17 {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/utilityDS"
      principalsQuery="select password from users where user=?"
      rolesQuery="select role, role_group from user_roles where user=?";
      };


      Security domain entry in jboss.xml and jboss-web.xml :
      ------------------------------------------------------
      <security-domain>java:/jaas/bcc17</security-domain>


      Code used in a test class to do the login :
      -------------------------------------------
      (reference to client/auth.conf set in System properties)

      ...

      String user = "user_admin";
      String password = "change_this";
      try {
      LoginContext lc = new LoginContext("bcc17", new AppCallbackHandler(user, password.toCharArray()));
      lc.login();
      }

      ...


      Exception :
      -----------
      [ERROR,SecurityInterceptor] Insufficient method permissions,
      principal=user_admin, method=create, requiredRoles=

      • , principalRoles=null
        • 1. Re: principalRoles=null
          cobraflow

          In your ejb-jar you must specify valid role-name's. The method-name may contain a '*'.
          Eg
          <assembly-descriptor>
          <security-role>
          <role-name>Administrator</role-name>
          </security-role>
          <security-role>
          <role-name>User</role-name>
          </security-role>
          <method-permission>
          <role-name>Administrator</role-name>
          <role-name>User</role-name>

          <ejb-name>MyBean</ejb-name>
          <method-name>*</method-name>

          </method-permission>
          .....
          </assembly-descriptor>

          The role-name entries should match your role column in the database

          Lewis

          • 2. Re: principalRoles=null
            wouter

            Lewis,

            Of course you're right but that doesn't solve the problem. I get the same exception only now the requiredRoles[] has the correct required role.

            It must be something in the mapping of roles to principals, because even using UsersRolesLoginModule with the appropriate properties files doesn't get me out.

            I'm downloading the source now and will (try to) see for myself how the principalRoles are retrieved and kept. Perhaps that will give me a clue.

            Thanks anyway,
            Wouter

            • 3. Re: principalRoles=null
              wouter

              Lewis,

              For your information, I found the cause. I configured the server to establish an SSL-connection with the clients and when I comment that out, everything works fine. So I must have made a mistake in my SSL settings, which narrows the problem considerably.

              Wouter

              • 4. Re: principalRoles=null
                cobraflow

                Thanks for that.

                Could you post your 'finished/working' configuration for SSL...I am looking at moving some aplications that way!

                Lewis

                • 5. Re: principalRoles=null
                  wouter

                  Will do, but for now I just disabled SSL in order to go on with development and testing. I will take the time to look into it as soon as my programmers are well on track.

                  You don't need to keep watching this topic. If I have something, I'll send a mail.

                  Wouter

                  • 6. Re: principalRoles=null
                    ofer

                    Hello wouter, i have been keeping up w/ ur thread in the forum and i am keenly interested in what success u have because it matches my needs precisely. i am also running the same jboss/tomcat under apache. i purchased the s. scott document on jboss. i could not get the mailaccountservlet to run in secured mode. i found the javaworld ejbservelet example (also, s. scott) and was successful in running it as secured but unable to add or changes users. also, another curiosity is the user/roles.properies files specify another user but even adding that user to the "roles" does not allow secure connection. if u know of a working example that can be modified so i may learn jboss a/a i would be very appreciative. thanx 4 ur attention, 0-fer.

                    • 7. Re: principalRoles=null
                      wouter

                      I'm not familiar with the examples you mention and can't comment on your experience. I also need to point out that my application is rather specific and will become quite complicated. It's therefore not well suited as an example to learn JBoss.

                      What I'd suggest is you try a similar approach as I did. Read the JBoss and Tomcat docs. Then try to do what you want to do and if you get stuck, search the forums (probably someone already had the same problem). If that doesn't help, post your specific question with (that's a lesson I also had to learn) enough details to allow others to really help.

                      I don't think it's usefull to send you my application, which won't be operational before the summer anyway, but I'll be glad to help you solve a specific problem if I can.

                      Greetings,
                      Wouter

                      • 8. Re: principalRoles=null
                        dcelery

                        Hello friends.
                        I have the same problem when enabling SSL.
                        The users lost the roles.
                        Do you know why?

                        • 9. Re: principalRoles=null -- solved
                          superchipchipchip

                          Hello Guys

                          I've stuck with this problem like you guys and I figured out what is wrong. It's the security domain defined in the jboss-service.xml.. the following lines

                          <!-- The SSL domain setup -->




                          chap8.keystore
                          rmi+ssl


                          The domain name used here should not be the same as the domain defined in your login-config.xml. I think we all fall in the trap to use the same domain name.

                          i figured this out because my local-invoker also lose principle roles and i began to suspect it is not the problem of the SSL...