2 Replies Latest reply on Apr 14, 2003 7:00 PM by stevecoh1

JASS/JBoss not performing as expected

stevecoh1 Apr 14, 2003 5:52 PM

I have the following scenario: I have a login module based on the database which is based on must-change-password on first login semantics. The user when first created is given a default password which is only good for the first login.

There are two webapps on the same server. Each uses this same scheme.

To best explain this, I am going to put intervening comments inside a log file fragment. My comments are preceded with two dashes.

--package newly deployed.
2003-04-14 16:26:03,932 DEBUG [org.jboss.deployment.MainDeployer] End deployment start on package: jboss-service.xml
2003-04-14 16:26:03,933 INFO [org.jboss.deployment.MainDeployer] Deployed package: file:/usr/local/jboss-3.0.6-src/build/output/jboss-3.0.6/server/default/conf/jboss-service.xml
2003-04-14 16:26:03,940 INFO [org.jboss.system.server.Server] JBoss (MX MicroKernel) [3.0.6 (CVSTag=JBoss_3_0_6 Date=200303071139)] Started in 1m:20s:415ms

--first login attempt by user stevec2
2003-04-14 16:26:35,208 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2
2003-04-14 16:26:35,222 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] created JBossUserRealm::JBossUserPrincipal: stevec2
2003-04-14 16:26:35,238 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****

--my login module's getUsersPassword() called
2003-04-14 16:26:35,518 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getUsersPassword()

--database consulted
2003-04-14 16:26:35,619 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: registering pool with interval 900000 old interval: 9223372036854775807
2003-04-14 16:26:35,621 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: about to notify thread: old next: 1050356045621, new next: 1050356045621
2003-04-14 16:26:35,623 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] run: IdleRemover notifying pools, interval: 450000
2003-04-14 16:26:35,641 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Using properties: {user=webdev, password=w3bd3v}
2003-04-14 16:26:35,643 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Checking driver for URL: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli
2003-04-14 16:26:35,651 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Driver not yet registered for url: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli
2003-04-14 16:26:35,669 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Driver not yet registered for url: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli
2003-04-14 16:26:35,693 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Driver already registered for url: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli

--my login module's getUsersPassword() returns
2003-04-14 16:26:37,200 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getUsersPassword() returning.

--my login module's getRoleSets() called
2003-04-14 16:26:37,255 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getRoleSets()

--ANY TIME a role is added to the role set, a log message like this will be emitted by the login module. This is the only role added this time through, since this user must change his password before continuing.
2003-04-14 16:26:37,265 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] Adding role axp.gen.chgpswd for user stevec2 to role set.
2003-04-14 16:26:37,347 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] ISMLoginModule.getRoleSets() - User must change password.

--getRoleSets() returns
2003-04-14 16:26:37,354 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getRoleSets() returning.
2003-04-14 16:26:37,425 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2
2003-04-14 16:26:37,428 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] setting JAAS subjectAttributeName(j_subject) : Subject(Principals{stevec2,Roles}PublicCredentials{}PrivateCredentials{count=0})
2003-04-14 16:26:37,440 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****
2003-04-14 16:26:37,442 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2

--correct role report returned by system.
2003-04-14 16:26:37,449 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is in Role: axp.gen.chgpswd
2003-04-14 16:26:37,454 INFO [org.jboss.jbossweb] action: Processing a GET for /login/check-password
2003-04-14 16:26:37,460 INFO [org.jboss.jbossweb] action: Setting locale 'en_US'
2003-04-14 16:26:37,465 INFO [org.jboss.jbossweb] action: Looking for Action instance for class com.ignitemedia.access.panel.CheckChangePasswordAction
2003-04-14 16:26:37,469 INFO [org.jboss.jbossweb] action: Double checking for Action instance already there
2003-04-14 16:26:37,473 INFO [org.jboss.jbossweb] action: Creating new Action instance

--here a struts forwarding mechanism is employed. If the user only has the axp.gen.chgpswd role, a change password screen is rendered. If axp.gen.user is in the role set, then the main front page of the application is displayed.
2003-04-14 16:26:37,537 DEBUG [com.ignitemedia.access.panel.CheckChangePasswordAction] CheckChangePasswordAction() - user stevec2
2003-04-14 16:26:37,549 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is NOT in Role: axp.gen.user
2003-04-14 16:26:37,551 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is in Role: axp.gen.chgpswd
2003-04-14 16:26:37,553 DEBUG [com.ignitemedia.access.panel.CheckChangePasswordAction] user must change password.
2003-04-14 16:26:37,566 INFO [org.jboss.jbossweb] action: Processing a GET for /login/must-change-password
2003-04-14 16:26:37,572 INFO [org.jboss.jbossweb] action: Looking for ActionForm bean under attribute 'changePasswordForm'
2003-04-14 16:26:37,576 INFO [org.jboss.jbossweb] action: Creating new ActionForm instance of class 'com.ignitemedia.access.panel.ChangePasswordForm'
2003-04-14 16:26:37,846 INFO [org.jboss.jbossweb] action: Storing instance under attribute 'changePasswordForm' in scope 'request'
2003-04-14 16:26:37,851 INFO [org.jboss.jbossweb] action: Populating bean properties from this request
2003-04-14 16:26:37,852 DEBUG [com.ignitemedia.access.panel.ChangePasswordForm] reset()
2003-04-14 16:26:37,936 INFO [org.jboss.jbossweb] action: Validating input form properties
2003-04-14 16:26:37,941 INFO [org.jboss.jbossweb] action: Looking for Action instance for class com.ignitemedia.access.panel.ChangePasswordAction
2003-04-14 16:26:37,946 INFO [org.jboss.jbossweb] action: Double checking for Action instance already there
2003-04-14 16:26:37,950 INFO [org.jboss.jbossweb] action: Creating new Action instance

--and now the change password page is displayed.
2003-04-14 16:26:37,993 DEBUG [com.ignitemedia.access.panel.ChangePasswordAction] ChangePasswordAction via: /login/must-change-password
2003-04-14 16:26:38,102 DEBUG [com.ignitemedia.access.panel.ChangePasswordAction] userPrincipal from request:stevec2

--instead of making any input on the change password page, instead the user now attempts via browser to log into other application run on this server.
2003-04-14 16:27:03,654 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2
2003-04-14 16:27:03,654 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] created JBossUserRealm::JBossUserPrincipal: stevec2
2003-04-14 16:27:03,655 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****

--since stevec2 is already recognized, no need to check password. That's okay.
2003-04-14 16:27:03,655 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2
2003-04-14 16:27:03,655 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] setting JAAS subjectAttributeName(j_subject) : null
2003-04-14 16:27:03,664 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****
2003-04-14 16:27:03,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2

--this application requires a different role. This role has never been added to any role set, but the system thinks it has. Why? This is the problem.
2003-04-14 16:27:03,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is in Role: axpa.gen.user

1. Re: JASS/JBoss not performing as expected

stevecoh1 Apr 14, 2003 5:55 PM (in response to stevecoh1)

To sum up the previous post, it appears that once a user is authenticated for any role, a subsequent to log in considers that he is authenticated for every role, including one that was not previously added to his role set.
Actions
2. Re: JASS/JBoss not performing as expected

stevecoh1 Apr 14, 2003 7:00 PM (in response to stevecoh1)

Uh, never mind. Problem was second web-app's jboss-web.xml was not getting into the war.
Actions

Go to original post