7 Replies Latest reply on Feb 7, 2003 11:25 AM by aweissman

    Inconsistency between JAAS in Web and EJB tiers

    aweissman
    aweissman Jan 31, 2003 2:59 PM

      I have successfully set up JAAS with my LDAP server and have enforced authorization on EJB's. I went to set up form based security with the same security provider and ran into a strange issue: after logging in through the form, my users authenticate correctly, but somehow the isUserInRole() is returning false even though I'm requiring the same role as i did for EJBs, and its using the same exact security provider. Has anyone else run into this or have any ideas on how to debug this issue? It would be helpful if I could make debug print out all the roles that a user IS in...

      Thanks,
      Alan

      14:19:33,382 DEBUG [JBossUserRealm#java:jaas/SunOneDirectory] authenticating: Name:alanw Password:****
      14:19:33,414 DEBUG [JBossUserRealm#java:jaas/SunOneDirectory] authenticated: alanw
      14:19:33,414 DEBUG [JBossUserRealm#java:jaas/SunOneDirectory] setting JAAS subjectAttributeName(j_subject) : Subject:
      Principal: alanw
      Principal: Roles

      14:19:33,445 DEBUG [JBossUserRealm#java:jaas/SunOneDirectory] authenticating: Name:alanw Password:****
      14:19:33,445 DEBUG [JBossUserRealm#java:jaas/SunOneDirectory] authenticated: alanw
      14:19:33,445 DEBUG [JBossUserRealm#java:jaas/SunOneDirectory] JBossUserPrincipal: alanw is NOT in Role: Developer
      14:19:33,460 WARN [jbossweb] WARNING: AUTH FAILURE: role for alanw

      • 3755 Views
      • Tags:
        • 1. Re: Inconsistency between JAAS in Web and EJB tiers
          petertje Feb 1, 2003 8:17 AM (in response to aweissman)

          Did you declare the role in the web.xml?

            • Actions
          • 2. Re: Inconsistency between JAAS in Web and EJB tiers
            aweissman
            aweissman Feb 3, 2003 9:45 AM (in response to aweissman)

            Thanks Peter for getting back to me. Here's my web.xml:

            <!DOCTYPE web-app PUBLIC
            "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
            "http://java.sun.com/dtd/web-app_2_3.dtd">

            <web-app>

            <!-- the entire site is secure (/* = everything) -->
            <security-constraint>

            <web-resource-collection>
            <web-resource-name>secure</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            </web-resource-collection>

            <!-- only users belonging to the "Developer" group may access the site -->
            <auth-constraint>
            <role-name>Developer</role-name>
            </auth-constraint>

            </security-constraint>

            <!-- tell the app server which authentication to use and where to
            find the login page -->

            <login-config>

            <!-- use this for form based authentication -->
            <auth-method>FORM</auth-method>
            <realm-name>java:jaas/SunOneDirectory</realm-name>

            <form-login-config>
            <form-login-page>/login/loginpage.jsp</form-login-page>
            <form-error-page>/login/loginerror.jsp</form-error-page>
            </form-login-config>

            <!-- end form based authentication -->
            </login-config>

            <!-- list the possible security roles -->
            <security-role>
            <role-name>Developer</role-name>
            </security-role>

            </web-app>

              • Actions
            • 3. Re: Inconsistency between JAAS in Web and EJB tiers
              petertje Feb 3, 2003 4:39 PM (in response to aweissman)

              Looks perfectly well to me....

                • Actions
              • 4. Re: Inconsistency between JAAS in Web and EJB tiers
                aweissman
                aweissman Feb 3, 2003 5:23 PM (in response to aweissman)

                think this could be a bug?
                i'm not the only one running into this, and its not just with ldap, it with databases too...

                  • Actions
                • 5. Re: Inconsistency between JAAS in Web and EJB tiers
                  petertje Feb 6, 2003 4:12 PM (in response to aweissman)

                  > think this could be a bug?
                  > i'm not the only one running into this, and its not
                  > just with ldap, it with databases too...

                  I just wrote a test myself, and it works fine here. I can secure part of the web resources for one role, and request.isUserInRole("developer") returns true.

                  I'm afraid you are still having something else wrong.
                  I noticed your realm name is something like java:/jaas etc.
                  You do know you must specify the security domain in a jboss-web.xml file in the war, right?

                  Peter

                    • Actions
                  • 6. Re: Inconsistency between JAAS in Web and EJB tiers
                    petertje Feb 6, 2003 4:17 PM (in response to aweissman)

                    I forget to mention that i tested against UsersRolesLoginModule. Maybe it's an idea you try this one also (at least, it could help me helping you ;-))

                    Cheers,
                    Peter

                      • Actions
                    • 7. Re: Inconsistency between JAAS in Web and EJB tiers
                      aweissman
                      aweissman Feb 7, 2003 11:25 AM (in response to aweissman)

                      Thanks Peter.

                      I got through all of my issues yesterday and today. The documentation on how to setup your directory to utilize the LDAPLoginModule is incorrect. It took going through the server code and debugging the LDAPLoginModule itself, but I got it :)

                      Now I have authentication and authorization on both EJB methods and the web.

                        • Actions