3 Replies Latest reply on Apr 9, 2003 4:12 AM by petertje

EXTREMELY URGENT: JBoss JAAS/Container Security issue

mickknutson Apr 3, 2003 2:53 AM

I have been fighting with the JBoss DatabaseServerLoginModule for almost 2 months now without success.
I have tried an infinite number of combinations to try to get to a _SIMPLE_ solution as outlined by the JBoss manual, the JAAS article in JavaWorld, and hundreds of documents and examples from all over the internet.

Well, I just don't have anymore time to waste as my deadline is now 48 hours away!
I desperately need help:

1. Find someone to offer some help to resolve this by Friday.
2. Direct me somewhere to find the help I need
3. Tell who would be willing to have me hire them for the help I need.

Here is my current situation:
I am using JBoss 3.0.6 with Catalina on NT 4.0, MySql, XDoclet 1.2, Struts 1.1rc1, JDK 1.4.
I create a beans.jar, common.jar, app.war and package everything into app.ear. The only things that are not in my EAR are the mysql-service.xml, auth.conf, login-config.xml, and server.policy which reside in the $JBOSS_HOME\server\default\conf and the $JBOSS_HOME\server\default\deploy directories.
I also attached all the above file in a zip file here in this message.

I have the DatabaseServerLoginModule configured and it seems to be operating, but not correctly.
When I try to access a page under /private/* I get forwarded to /logon.jsp correctly.

My MySql Database has 2 tables:
TABLE_USER: columns: username, password
TABLE_USER_ROLES: columns: username, user_roles, user_group

TABLE_USER: data: "mick", "mickPassword"
TABLE_USER_ROLES: data1: "mick", "user", "user"
TABLE_USER_ROLES: data2: "mick", "admin", "admin"

I then type in j_username: "mick", j_password: "mickPassword" and click ENTER.
I seem to be logged in successfully as the console shows that I have 3 Principals: "mick", "user", "admin" and when I attempt to navigate to pages in the private area that do not require EJB access, I continue to see that my Principal is kept successfully through each page. So I do _not_ currently have the Principal=null issue.
I do however have a UserPreferenceFilter that I check if the user is in role "user", "admin", or "guest" and all 3 come up as "NO".

Also, when I attempt to access a page that goes to my EJB layer, I get a Security violation error that states user must belong to [] role. But I have added a "run-as = InternalUser" for all my EJB's so far. But that does not seem to work. When I remove the "run-as=InternalUser", I get a Security Violation that states the user must belong to the role I specified.

So it seems that my main 2 issues are getting the Roles to stick to the user when they login, and the EJB's to be able to use the user Roles, or the "run-as=InternalUser"

-------------------------
Thank You
Mick Knutson
-------------------------

1. Re: EXTREMELY URGENT: JBoss JAAS/Container Security issue

mickknutson Apr 3, 2003 2:54 AM (in response to mickknutson)

Here is my zip file...
Actions
2. Re: EXTREMELY URGENT: JBoss JAAS/Container Security issue

cobraflow Apr 3, 2003 2:10 PM (in response to mickknutson)

...what I would do...

1) comment out the 'other' domain
2) comment out the 'MySqlDbRealm'
3) rename 'yoursos-realm' to 'other'

This will give you one problem to solve!

Your rolesQuery should return the role that the principal has and the word 'Roles' as the role_group.

In your case user_roles should be the role name that your user has and user_group should be the text 'Roles' (for all rows!)

It looks as though your user is being authenticated correctly (the principalQuery is working) but the principal has no roles...

Regards

Lewis
Actions
3. Re: EXTREMELY URGENT: JBoss JAAS/Container Security issue

petertje Apr 9, 2003 4:12 AM (in response to mickknutson)

The data in the TABLE_USER_ROLES should read:

data1: "mick", "user", "Roles"
data2: "mick", "admin", "Roles"

Alternatively, as pointed out in the jboss QuickStartGuide, page 72, use an sql query like:
select userRoles, 'Roles' from UserRoles where username = ?

Peter.
Actions

Go to original post