FORM login SecurityDomain jboss-web.xml principal=null
hurzeler Aug 27, 2002 4:17 AMHello there,
I need your help with the configuration of Web/EJB authorization and authentication.
This is kind of my last resort. I have read most of the articles in the jboss forum and docs as well as the javaworld articles on JBossSX and I still can't work out why my setup does not work.
So please, please help me...
I am running JBoss3.0.1 with Jetty on java1.3.1_04 with Postgres (postgresql-7.1.3-2) and a DatabaseLoginModule
Q1) Is the following login-config.xml correct? Do the managedConnectionFactoryName of ConfiguredIdentityLoginModule and DatabaseServerLoginModule have to be identical?
Q2) a) What is the <module-option name="principal">TimeTagPrincipal</module-option> used for? b) Does the actual name matter? c) Does the principal of ConfiguredIdentityLoginModule and DatabaseServerLoginModule have to be identical as well?
I have two login modules configured in login-config.xml
-------------------------------------------------------
<application-policy name = "PostgresDbRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name="principal">TimeTagPrincipal</module-option>
<module-option name="userName">postgres</module-option>
<module-option name="password">postgres</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=PostgresDS</module-option>
</login-module>
</application-policy>
<application-policy name = "TimeTagDomain">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name="dsJndiName">java:/PostgresDS</module-option>
<module-option name="principal">TimeTagPrincipal</module-option>
<module-option name="principalsQuery">select password from principals where principalid = ?</module-option>
<module-option name="rolesQuery">select role, rolegroup from roles where principalid = ?</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=PostgresDS</module-option>
<module-option name="unauthenticatedIdentity">nobody</module-option>
</login-module>
</application-policy>
---------------------------------------------------------
If I use PostgresDbRealm in web.xml and don't set the security domain in jboss-web.xml (is not even in war) and the security domain is not set in jboss.xml then the Jetty authentication works the user is authenticated and the role is also correctly retrieved. See debugs a little further down.
web.xml
---------------------------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Content</web-resource-name>
Security Constraint
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>PostgresDbRealm</realm-name>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Administrator</role-name>
</security-role>
<ejb-ref>
A test reference to the HelloWorld EJB
<ejb-ref-name>HelloWorld</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
com.timeTag.interfaces.HelloWorldHome
com.timeTag.interfaces.HelloWorld
<ejb-link>HelloWorld</ejb-link>
</ejb-ref>
</web-app>
---------------------------------------------------------
Q3) In the web.xml when do I need to reference the SessionBean with <ejb-ref>?
debugs of successful authentication:
---------------------------------------------------------
16:41:15,494 INFO [Server] JBoss (MX MicroKernel) [3.0.1 Date:200208062340] Started in 0m:32s:306ms
16:43:47,653 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler
16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] created JBossUserRealm::JBossUserPrincipal: hurzeler
16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] setting JAAS subjectAttributeName(j_subject) : null
16:43:47,683 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
16:43:47,683 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
16:43:47,683 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler is in Role: Administrator
------------------------------------------------------
Ok JBossUserRealm has recognized my user as hurzeler in the role of Administrator and Jetty lets me access the restricted area.
Q4) Now here comes the part I do not understand:
If I set the security domain in jboss-web.xml and jboss.xml to PostgresDbRealm my user is not recognized to be in the role Administrator. Why?
The error I get is:
---------------------------------------------------------
16:53:56,058 INFO [Server] JBoss (MX MicroKernel) [3.0.1 Date:200208062340] Started in 0m:28s:701ms
16:54:13,313 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler
16:54:13,323 DEBUG [JBossUserRealm#PostgresDbRealm] created JBossUserRealm::JBossUserPrincipal: hurzeler
16:54:13,323 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
16:54:13,333 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
16:54:13,343 DEBUG [JBossUserRealm#PostgresDbRealm] setting JAAS subjectAttributeName(j_subject) : Subject:
Principal: TimeTagPrincipal
Private Credential: javax.resource.spi.security.PasswordCredential@40000
000
16:54:13,353 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
16:54:13,353 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
16:54:13,353 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler is NOT in Role: Administrator
16:54:13,363 WARN [jbossweb] WARNING: AUTH FAILURE: role for hurzeler
---------------------------------------------------------
Obviously Jetty now complains with:
HTTP ERROR: 403 User not in required role
RequestURI=/timeTag/admin/index.jsp
Now here is the interesting bit:
If I set the security domain in jboss-web.xml and jboss.xml to TimeTagDomain I get properly authenticated and the users role is set to Administrator. What strikes me is that the authentication seems to work and the setting of the subject and the retrieval of the role works as well but the principal does not get propagated to JBoss.
Q5) Further I think according to the docs the security domain in web.xml, jboss-web.xml and jboss.xml should be PostgresDbRealm. Is this correct or should the security domains be as described above?
debugs with above settings when I go to my secure stateless session bean after I logged in:
---------------------------------------------------------
16:02:23,461 INFO [Server] JBoss (MX MicroKernel) [3.0.1 Date:200208062340] Started in 0m:36s:793ms
16:02:44,071 DEBUG [JBossUserRealm#PostgresDbRealm]JBossUserPrincipal: hurzeler
16:02:44,081 DEBUG [JBossUserRealm#PostgresDbRealm] created JBossUserRealm::JBossUserPrincipal: hurzeler
16:02:44,091 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
16:02:44,181 DEBUG [JBossUserRealm#PostgresDbRealm]authenticated: hurzeler
16:02:44,181 DEBUG [JBossUserRealm#PostgresDbRealm]setting JAAS subjectAttributeName(j_subject) : Subject:
Principal: hurzeler
Principal: Roles
Principal: CallerPrincipal
16:02:44,201 DEBUG [JBossUserRealm#PostgresDbRealm]authenticating: Name:hurzeler Password:****
16:02:44,201 DEBUG [JBossUserRealm#PostgresDbRealm]authenticated: hurzeler
16:02:44,211 DEBUG [JBossUserRealm#PostgresDbRealm]JBossUserPrincipal: hurzeler is in Role: Administrator
16:02:51,131 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[AuthorizedUser, Administ
rator], principalRoles=null
----------------------------------------------------------
Q6) It seem to me that the security settings in ejb-jar.xml have no bearing on the behaviour if the principal=null. Is this correct?
Q7) Why is the principal=null?
I also attach the ejb-jar.xml security constraints for my statless session bean (HelloWorld)
ejb-jar.xml (Note: <assembly-descriptor > sits inside <ejb-jar>
----------------------------------------------------------
<assembly-descriptor >
<security-role>
<role-name>AuthorizedUser</role-name>
</security-role>
<security-role>
<role-name>Administrator</role-name>
</security-role>
<security-role>
<role-name>User</role-name>
</security-role>
<method-permission >
<role-name>AuthorizedUser</role-name>
<role-name>Administrator</role-name>
<ejb-name>HelloWorld</ejb-name>
<method-name>*</method-name>
</method-permission>
</assembly-descriptor>
---------------------------------------------------------
I must obviously be a bit thick but all this is a bit a mistery to me.
Q9) Can someone explain to me what the exact function of ConfiguredIdentityLoginModule is and how it interplays with DatabaseServerLoginModule.
Please help. I am desperate... :-(
Thanks Bernie
ICM Engineering Pty Ltd