JBoss and JAAS - a nightmare & time waster !
tentacle Oct 21, 2002 4:35 AMHi
We have been struggling with JBoss and JAAS for 2 weeks now, with no success. It is incredibly frustrating and stressful.
We are trying to convert and exsisting web application from Weblogic 6.x to JBoss 3.0.3.
We are having problems configuring the security. We are ultimately wanting to use DatabaseServerLoginModule.
Problem No. 1
When we set up JBoss to use JAAS and DatabaseServerLoginModule (Sybase), and then try to deploy, the deployment fails on every bean with principal=null message. Then when we try to login from a jsp using j_security_check the same message occurs - principal=null. Here are the xml files.
login-config.xml
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<application-policy name = "client-login">
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</application-policy>
<application-policy name = "jbossmq">
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</application-policy>
<application-policy name = "HsqlDbRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
</login-module>
</application-policy>
<application-policy name = "FirebirdDBRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>
</application-policy>
<application-policy name = "JmsXARealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
</login-module>
</application-policy>
<application-policy name = "jmx-console">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
<application-policy name = "SybaseRealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name="dsJndiName">java:/jdbc/ProofDS</module-option>
<module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name="rolesQuery">select RoleName, RoleGroup from Roles where PrincipalID=?</module-option>
</login-module>
</application-policy>
<application-policy name = "other">
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
sybase-service.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- ===================================================================== -->
<!-- -->
<!-- JBoss Server Configuration -->
<!-- -->
<!-- ===================================================================== -->
<!-- ======================================================================-->
<!-- New ConnectionManager setup for Sybase ASE/ASA jConnect driver -->
<!-- Thanks to Marc Zampetti <zampetti@aol.net> -->
<!-- Build jmx-api (build/build.sh all) and view for config documentation -->
<!-- ===================================================================== -->
<application-policy name = "SybaseRealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name="dsJndiName">java:/jdbc/ProofDS</module-option>
<module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name="rolesQuery">select RoleName, RoleGroup from Roles where PrincipalID=?</module-option>
</login-module>
</application-policy>
SybaseRealm
<depends optional-attribute-name="ManagedConnectionFactoryName">
<!--embedded mbean-->
jdbc/ProofDS
<config-property name="ConnectionURL" type="java.lang.String">jdbc:sybase:Tds:DBMS52:5000/Proof?JCONNECT_VERSION=6</config-property>
<config-property name="DriverClass" type="java.lang.String">com.sybase.jdbc2.jdbc.SybDriver</config-property>
<config-property name="UserName" type="java.lang.String">proof</config-property>
<config-property name="Password" type="java.lang.String">password1</config-property>
<!--Below here are advanced properties -->
<!--hack-->
<depends optional-attribute-name="OldRarDeployment">jboss.jca:service=RARDeployment,name=JBoss LocalTransaction JDBC Wrapper
<depends optional-attribute-name="ManagedConnectionPool">
<!--embedded mbean-->
0
10
5000
15
ByContainer
<depends optional-attribute-name="CachedConnectionManager">jboss.jca:service=CachedConnectionManager
<depends optional-attribute-name="JaasSecurityManagerService">jboss.security:service=JaasSecurityManager
java:/TransactionManager
<!--make the rar deploy! hack till better deployment-->
jboss.jca:service=RARDeployer
What are we doing wrong?
Problem No. 2
After not getting DatabaseServerLoginModule, we tried the 'simple' UsersRolesLoginModule. With this, our deployment works, and we can successfully login via j_security_check and go to our first jsp - after that when we try to access subsequent jsp's, we get security exceptions - principal = null and password = null. How do the credentials get get "passed on" or cached? What are we doing wrong?
Any help would be greatly appreciated - we have gone through all documentation and most of the posts on the forums without success.