4 Replies Latest reply on May 5, 2003 11:39 AM by brucec

DatabaseServerLoginModule not Authenticating

brucec Apr 29, 2003 6:41 PM

I have a UserSessionManagerEJB that I'm trying to secure using the DatabaseServerLoginModule (actually a subclass that does nothing except call super for initialize, getUsersPassword and get RoleSets). Can anyone point out where I'm messing up?

I'm attaching my server.policy and login-config.xml files:
Well for some reason the Attach Files feature isn't working so I'll add file contents at the bottom.

The exception message is:

ERROR javax.ejb.EJBException: java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.ServerException: EJBException:; nested exception is:
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Authentication exception, principal=Bruce

The client side login code snippet is:

UsernamePasswordHandler handler = new
UsernamePasswordHandler( username, password );
_context = new LoginContext( "client-login", handler );
_context.login();
Subject subject = _context.getSubject();
UserSessionManager ejb = null;
UserSessionManagerHome home = null;
try {
home = (UserSessionManagerHome)PortableRemoteObject.narrow(
new InitialContext().lookup( lookupName ),
UserSessionManagerHome.class );
try {
ejb = home.create();
. . .

I'm just trying to use the default Hypersonic DB for right now and have added the following to the db/hypersonic/default.script file to create a sample login database:

CREATE TABLE USERS(USERNAME VARCHAR NOT NULL PRIMARY KEY,PASSWORD VARCHAR)
CREATE TABLE USERROLES(USERNAME VARCHAR,USERROLE VARCHAR,ROLEGROUP VARCHAR)
INSERT INTO USERS VALUES('Bruce','Bpass')
INSERT INTO USERS VALUES('bc','bc2pass')
INSERT INTO USERROLES VALUES('bc','Operator','Role')
INSERT INTO USERROLES VALUES('Bruce','JBossAdmin','Role')

My configuration is JBoss 3.0.4/Tomcat 4.1.12 on Redhat Linux 7.3

security.policy file:
=================================
grant {
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "*", "getProtectionDomain";
permission java.io.FilePermission "/home/bcrawford/tools/-", "read,write,execute";
permission java.io.FilePermission "/home/bcrawford/tools/jboss-3.0.4_tomcat-4.1.12/server/default/-", "delete";
permission javax.security.auth.AuthPermission "*", "createLoginContext.jbossmq";
permission java.net.SocketPermission "*", "accept,connect,resolve";
permission org.apache.naming.JndiPermission "*";
permission java.util.logging.LoggingPermission "control";
};
grant Principal org.jboss.security.SimplePrincipal "Admin" {
// Allow everything for now
permission java.security.AllPermission;
};
grant Principal org.jboss.security.SimplePrincipal "Operator" {
permission com.transdyn.dynac.security.AccessPermission;
};

login-conf.xml file:
=================================
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">

<application-policy name = "client-login">

<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>

</application-policy>


<application-policy name = "jbossmq">

<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>

</application-policy>


<application-policy name = "HsqlDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
</login-module>

</application-policy>

<application-policy name = "FirebirdDBRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>

</application-policy>

<application-policy name = "JmsXARealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
</login-module>

</application-policy>


<application-policy name = "jmx-console">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />

</application-policy>


<application-policy name = "dynac">

<login-module code="com.transdyn.dynac.security.DynacPasswordLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymousUser</module-option>
<module-option name = "principalsQuery">select Password from Users where Username=?</module-option>
<module-option name = "rolesQuery">select UserRole, 'Role' from UserRoles where Username=?</module-option>
</login-module>

</application-policy>


<application-policy name = "other">

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />

</application-policy>

jboss.xml file:
=================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS//EN" "http://www.jboss.org/j2ee/dtd/jboss.dtd">

<security-domain>java:/jaas/dynac</security-domain>
<enterprise-beans>

<ejb-name>UserSessionManager</ejb-name>
<jndi-name>ejb/UserSessionManager</jndi-name>

</enterprise-beans>
<resource-managers>
</resource-managers>

ejb-jar.xml file:
=================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
<ejb-jar >
No Description.
<display-name>Generated by XDoclet</display-name>
<enterprise-beans>


<![CDATA[Allows a user to login to and maintain a session with the Dynac application.]]>
<display-name>UserSessionManager Bean</display-name>
<ejb-name>UserSessionManager</ejb-name>
com.transdyn.dynac.session.UserSessionManagerHome
com.transdyn.dynac.session.UserSessionManager
<ejb-class>com.transdyn.dynac.session.UserSessionManagerEJB</ejb-class>
<session-type>Stateful</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>JBossAdmin</role-name>
<role-link>Admin</role-link>
</security-role-ref>
<security-identity>
Testing a EJB security id
<use-caller-identity >What</use-caller-identity>
</security-identity>


</enterprise-beans>

<assembly-descriptor >
<security-role>
description not supported yet by ejbdoclet
<role-name>JBossAdmin</role-name>
</security-role>
<security-role>
description not supported yet by ejbdoclet
<role-name>Admin</role-name>
</security-role>
<security-role>
description not supported yet by ejbdoclet
<role-name>test</role-name>
</security-role>

<method-permission >
description not supported yet by ejbdoclet
<role-name>JBossAdmin</role-name>

description not supported yet by ejbdoclet
<ejb-name>UserSessionManager</ejb-name>
<method-name>*</method-name>

</method-permission>

<method-permission >
description not supported yet by ejbdoclet
<role-name>Admin</role-name>
<role-name>test</role-name>

<![CDATA[Called by the container to create a session bean instance.]]>
<ejb-name>UserSessionManager</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
<method-params>
</method-params>

</method-permission>
</assembly-descriptor>
</ejb-jar>

1. Re: DatabaseServerLoginModule not Authenticating

petertje May 1, 2003 9:15 AM (in response to brucec)

should be
INSERT INTO USERROLES VALUES('bc','Operator','Roles')
INSERT INTO USERROLES VALUES('Bruce','JBossAdmin','Roles')

(ie. 'Roles' instead of 'Role')
hth
peter.
Actions
2. Re: DatabaseServerLoginModule not Authenticating

brucec May 1, 2003 9:55 AM (in response to brucec)

Peter,
Thanks for the response, but that change didn't fix the problem. And I did change 'Role' to 'Roles' in the login-conf.xml file also.

Maybe I've over worked the whole security issue and am boxing myself into a corner with cascading problems (see BTW note below). I am starting JBoss with a custom runSecure.sh file that adds the following options to the java command:
-Djava.security.manager
-Djava.security.policy=/server.policy
-Djava.security.debug=access,failure
And in doing this I've created a custom server.policy file to try to enable the necessary permissions for JBoss and Tomcat ... as you can see below this is obviously NOT correct.

Am I trying to make this too complicated?

BTW another problem keeps me from examining the hypersonic DB during these tests and that is not having the JMX Console available. This is probably being caused by the server.policy file (shown in 1st post) since I get an exception during deployment of package: file:/jmx-console.war, i.e.,
ERROR [org.jboss.web.localhost.Engine] StandardHost[localhost]: ContainerBase.addChild: start:
LifecycleException: start: : java.lang.NullPointerException
at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:678)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3456)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:821)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:162)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:182)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:805)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:579)
at org.jboss.web.catalina.EmbeddedCatalinaService41.createWebContext(EmbeddedCatalinaService41.java:432)
at org.jboss.web.catalina.EmbeddedCatalinaService41.performDeploy(EmbeddedCatalinaService41.java:306)
. . .

I also posted this problem, but haven't had any replies yet.
Actions
3. Re: DatabaseServerLoginModule not Authenticating

petertje May 1, 2003 3:51 PM (in response to brucec)

> Maybe I've over worked the whole security issue and
> am boxing myself into a corner with cascading
> problems (see BTW note below). I am starting JBoss
> with a custom runSecure.sh file that adds the
> following options to the java command:
> -Djava.security.manager
> -Djava.security.policy=/server.policy
> -Djava.security.debug=access,failure

Did you try it without? Did it work out then?
Actions
4. Re: DatabaseServerLoginModule not Authenticating

brucec May 5, 2003 11:39 AM (in response to brucec)

Peter, Thanks for your replies ...

I was able to get org.jboss.security.auth.spi.DatabaseServerLoginModule to authenticate when I start JBoss with the default run.sh file using the Hypersonic tables created via default.script file. However, I can't authenticate when using my com.transdyn.dynac.security.DynacPasswordLoginModule which extends the JBoss class and calls super for every method (thus does nothing). I've tried putting this class into /deploy and in /lib, but neither seems to work.

I also tried specifying -Djava.security.debug=... on the run.sh command line, but the option is not being used by the JBoss main, or at least I can see no difference in behavior from JBoss.

Bottom line is that I can get default JBoss security to work, but have not been able to override this with what our system is going to need. Obviously I have to resolve this before we can move to a production system, but I seem to be making little progress towards this end.

I think the real question is how to properly extend the DatabaseServerLoginModule with my class and get it to authenticate and authorize as desired?

And to get there I need to figure out how to debug what is going on during the auth/auth activity.
Actions

Go to original post