11 Replies Latest reply on Sep 26, 2002 4:48 PM by jayhowell

problem with DatabaseServerLoginModule

jhalmes Sep 9, 2002 7:53 PM

I am using 3.0.0/tomcat, I followed the online help at http://www.jboss.org/online-manual/HTML/ch11s78.html to try and set up the DatabaseServerLoginModule.

Any idea why I am getting, "unable to find LoginModule class"?

I am getting a BASIC auth prompt at the browser, but then when I type in valid (or invalid) credentials it fails to login and in server.log I get this error:

2002-09-09 16:52:29,995 DEBUG [org.jboss.security.plugins.JaasSecurityManager.elderw_domain] Login failure
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.auth.spi.UsersR
olesLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java(Compiled Code))
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:124)
at javax.security.auth.login.LoginContext$3.run(LoginContext.java:530)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:527)
at javax.security.auth.login.LoginContext.login(LoginContext.java:448)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:381)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:347)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:215)
at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:281)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2343)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java(Compiled Code))
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java(Compiled Code))
at java.lang.Thread.run(Thread.java:498)

Here is my ../server/default/conf/auth.conf:
elderw_domain {
/* A JDBC based LoginModule
LoginModule options:
dsJndiName: The name of the DataSource of the database containing the Principals, Roles tables
principalsQuery: The prepared statement query equivalent to:
"select Password from Principals where PrincipalID=?"
rolesQuery: The prepared statement query equivalent to:
"select Role, RoleGroup from Roles where PrincipalID=?"
*/
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/DefaultDS"
principalsQuery="select ..."
rolesQuery="select ..."
;
};

Here is my ../server/default/conf/login-config.xml:
<application-policy name = "OracleDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name = "principal">principal</module-option>
<module-option name = "userName">username</module-option>
<module-option name = "password">password</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
</login-module>

</application-policy>

I also have an oracle-services.xml file that is pretty big, but I cut and pasted it from an example in the forums. I am running on AIX.

Thanks,
Jasen

1. Re: problem with DatabaseServerLoginModule

tool Sep 10, 2002 9:44 AM (in response to jhalmes)

According to the documentation, the auth.conf file isn't used anymore in the 3.0.x releases of JBoss. I think you need to put your entry for elderw_domain into the login-config.xml
The server is looking in the login-config.xml for an entry that matches your security domain name and since you don't include one, it is using the last entry called "other", which is why your output says UsersRolesLoginModule, not DatabaseServerLoginModule.
Unfortunately I don't really know why it says that it cannot find the Login Module, but I am fairly sure that you still need to make the change I mentioned above for things to work correctly.
Hope this helps,
tool
Actions
2. Re: problem with DatabaseServerLoginModule

jhalmes Sep 10, 2002 2:42 PM (in response to jhalmes)

Yah, I wondered about that. I noticed that the new 3.0 draft docs are now online so I read through the security section and configured login-config.xml with a correctly named domain. Could I be missing something in the CLASSPATH somehow? I am now getting this error:

2002-09-10 11:49:14,572 DEBUG [org.jboss.security.plugins.JaasSecurityManager.elderw_domain] Login failure
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.auth.spi.DatabaseServerLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java(Compiled Code))
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:124)
at javax.security.auth.login.LoginContext$3.run(LoginContext.java:530)
...

Here is my new login-config.xml section:

<application-policy name = "elderw_domain">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginMod
ule" flag = "required">
<module-option name="dsJndiName">java:/DefaultDS</module-option>
<module-option name="principalsQuery">select...</module-option>
<module-option name="rolesQuery">select...</module-option>
</login-module>

</application-policy>
Actions
3. Re: problem with DatabaseServerLoginModule

wwwhe Sep 11, 2002 12:30 AM (in response to jhalmes)

_ should not be included in your LoginModule entry.
Change elderw_domain to elderw-domain, and try.
Actions
4. Re: problem with DatabaseServerLoginModule

jhalmes Sep 11, 2002 1:33 PM (in response to jhalmes)

I deleted the '_' and got the same result. But I left them out for good anyway. I did succeed in getting a Linux machine working talking to the same db.

AIX however is still broke with the same error and an identical config. I did notice this line in the stack trace:

"at java.security.AccessController.doPrivileged(Native Method)"

This makes me wonder if its not a problem in the AIX VM? So I am going to try a newer VM, but if anyone else has any ideas I'd be very appreciative.

Thanks,
Jasen
Actions
5. Re: problem with DatabaseServerLoginModule

jhalmes Sep 11, 2002 5:35 PM (in response to jhalmes)

Nope, I used IBM JDK 1.3.1 and got the same exception. So why the heck does it work on Linux and not on AIX?!?!?!
Actions
6. Re: problem with DatabaseServerLoginModule

jhalmes Sep 12, 2002 11:31 AM (in response to jhalmes)

Ok, now I've also tried upgrading to 3.0.1_tomcat and that also gives this error:

2002-09-12 08:37:22,250 DEBUG [org.jboss.security.plugins.JaasSecurityManager.elderwdomain] Login failure
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.auth.spi.DatabaseServerLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java(Compiled Code))
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:124)
at javax.security.auth.login.LoginContext$3.run(LoginContext.java:530)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:527)
at javax.security.auth.login.LoginContext.login(LoginContext.java:448)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:381)
Actions
7. Re: problem with DatabaseServerLoginModule

tool Sep 12, 2002 12:45 PM (in response to jhalmes)

This is crazy!
Do you have the jbosssx.jar in the lib directory of the server? You should, since it comes standard. The only thing I can think of is to add the path to that jar to your CLASSPATH and see if that helps.
Hope you get it to work!
Brian
Actions
8. Re: problem with DatabaseServerLoginModule

jhalmes Sep 12, 2002 7:31 PM (in response to jhalmes)

Yah, the jar is there. I tried appending the jar to the CLASSPATH in run.sh but then jboss won't start up at all, it gets an exception about not being able to find a security MBean.

I am starting to think maybe that IBM's jaas implementation is boinked.

So just for the heck of it, I was thinking I could try the tomcat JDBCRealm, but it seems to be flat out ignored. I can configure the ../catalina/conf/server.xml file all I want and nothing seems to happen. Any ideas?
Actions
9. Re: problem with DatabaseServerLoginModule

jhalmes Sep 16, 2002 6:04 PM (in response to jhalmes)

Ok, here is what appears to be happening, IBM distributes their own JDK with their own AIX version of JAAS since sun does not distribute an AIX JAAS impl. IBM has renamed the jaas classes from com.sun.* to com.ibm.*. Also, the jaas.jar that comes with the jdk is on the classpath before the jaas.jar that comes with jboss.

So my guess is that I am running IBM's LoginContext.class and not the jboss LoginContext.class and that must be the problem.

I could use some help fixing it though, this would be a useful appendix for AIX security users since they will all run into this problem.

If anyone has any ideas...

thanks,
Jasen
Actions
10. Re: problem with DatabaseServerLoginModule

jayhowell Sep 25, 2002 10:55 AM (in response to jhalmes)

Hey Jasen
I am having the same problem with AIX. I've been working for a couple weeks on a remedy with no avail. We are running our app on a Solaris and Windows and it works great, Put it on AIX and we get the errors that you described. Did you find a way to make it work?
Thanks, Jay:)
Actions
11. Re: problem with DatabaseServerLoginModule

jayhowell Sep 26, 2002 4:48 PM (in response to jhalmes)

I've figured out the problem and I have come up with a solution. Some of this is speculation, so don't gig me on the details, I am not a JBOSS or JAAS expert by no means. It's not a good solution, but it seems to work and is stable.

I beleive I have read somewhere that JAAS 1.0 requires that Login Modules be in the system classpath, IE be accessible from the system classpath property. For some reason, when using the Sun JVM, the Snapins for JAAS(LoginModules), don't have to be in the system classpath. JBOSS does not go through the lib directory and append these to the system classpath. When debugging I went and found that the only system classpath is the one that is defined in the run.sh. Because of environmental propery contraints in different operating systems(mainly windows), they could not append everything in the system classpath. So they create a classloader that will look in certain directories for certain classes. JAAS interacts with the VM somehow. JBOSS tells JAAS about the plug-ins. It is the responsibility of the LoginContext(JAAS class), to load these Login Modules up. In AIX, the Login Modules are not in the system Classpath, so they throw an excpetion saying that they can't find the Login Modules. What I have done is to put the Login Modules in the System Classpath. The problem with this is that many of the jboss classes reference other classes in other jar files. I kept booting jboss and taking the classes out of the jars to put in my own jar that I specify in the system classpath at startup. I got to the point where I added a class, and the classloader expected all others to be in the system classpath and the entire jboss app server went belly up. I can't explain why this happens. So I counldn't add just the classes I need, I had to add any classes to the classpath. It became evident that I had to add most of the jar files in the lib directory.

Solution. Not a graceful nice solution, but it works. In your run.sh file add all of the jars to the classpath that are in your lib directory. Depending on what version you are running, these might be in your default/deploy/lib. I'm using RC3 so mine are in the Jboss/lib directory. Include all of the jars in the system classpath. The classpath ends up being really long, but aix doesn't seem to care. I then booted the machine and I got an error that the classloader couldn't find RMI_Adapter class. I had to do something strange, because the jmx-rmi-adapter.sar file that contains this class is in the deploy directory. I had to add the jmx-rmi-adapter.sar to the classpath also. So basically, if you are running 3.0.0RC3 add the following line to your run.sh file right before the code to display the environment.

JBOSS_CLASSPATH="$JBOSS_CLASSPATH:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/activation.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/autonumber-plugin.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/axis.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/bcel.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/castor.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/classes12.zip:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/commons-logging.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/concurrent.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/counter-plugin.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/crimson.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/getopt.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/gnu-regexp.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/hsqldb-plugin.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/hsqldb.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jaas.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jaas_lm.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jacorb.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/javagroups-2.0.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/javax.servlet.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/javaxcomm.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jaxp.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-boot.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-common.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-iiop.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-j2ee.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-jca.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-jmx.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-jsr77.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-management.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss-system.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jboss.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jbossha.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jbossmq.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jbossmqha.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jbossmx.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jbosssx.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jcert.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jmxri.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jmxtools.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jndi.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jnet.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jnpserver.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jpl-pattern.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jpl-util.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jsse.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/jts.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/log4j.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/mail-plugin.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/mail.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/org.apache.jasper.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/properties-plugin.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/scheduler-plugin-example.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/scheduler-plugin.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/tt-bytecode.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/tyrex.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/wsdl4j.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/lib/xalan.jar:/usr/local/jboss-3.0.0RC3_tomcat-4.0.3/server/default/deploy/jmx-rmi-adaptor.sar"

# Display our environment
echo "================================================================================"
echo ""
echo " JBoss Bootstrap Environment"
echo ""
echo " JBOSS_HOME: $JBOSS_HOME"

This looks awful, but It is the only way that I've seen to combat this problem. Now I do get errors. Because the the .sar file is in the classpath and in the deploy directory, it tries to load twice and you do get exceptions, but the exceptions really don't hurt anything, they just say that we are trying to load some services more than once. I could probably take the .sar file out of the deployment directory and it wouldn't load twice, but I didn't want to add or subtract anything from the deployment directory. I don't mind adding entries to the classpath, but I didn't want to change the config that much by moving any files around. If I did, then I couldn't be sure that it was as stable as my regular build.

The really wierd piece to this is that you don't really see the true error(Classdefnotfound error) unless you turn the trace log on for jboss.org.security. This is how I found what the problem really was.

I hope this helps the 3 or 4 users that I've seen with this problem.
Jay:)
Actions

Go to original post