DatabaseServerLoginModule not Authenticating
brucec Apr 29, 2003 6:41 PMI have a UserSessionManagerEJB that I'm trying to secure using the DatabaseServerLoginModule (actually a subclass that does nothing except call super for initialize, getUsersPassword and get RoleSets). Can anyone point out where I'm messing up?
I'm attaching my server.policy and login-config.xml files:
Well for some reason the Attach Files feature isn't working so I'll add file contents at the bottom.
The exception message is:
ERROR javax.ejb.EJBException: java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.ServerException: EJBException:; nested exception is:
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Authentication exception, principal=Bruce
The client side login code snippet is:
UsernamePasswordHandler handler = new
UsernamePasswordHandler( username, password );
_context = new LoginContext( "client-login", handler );
_context.login();
Subject subject = _context.getSubject();
UserSessionManager ejb = null;
UserSessionManagerHome home = null;
try {
home = (UserSessionManagerHome)PortableRemoteObject.narrow(
new InitialContext().lookup( lookupName ),
UserSessionManagerHome.class );
try {
ejb = home.create();
. . .
I'm just trying to use the default Hypersonic DB for right now and have added the following to the db/hypersonic/default.script file to create a sample login database:
CREATE TABLE USERS(USERNAME VARCHAR NOT NULL PRIMARY KEY,PASSWORD VARCHAR)
CREATE TABLE USERROLES(USERNAME VARCHAR,USERROLE VARCHAR,ROLEGROUP VARCHAR)
INSERT INTO USERS VALUES('Bruce','Bpass')
INSERT INTO USERS VALUES('bc','bc2pass')
INSERT INTO USERROLES VALUES('bc','Operator','Role')
INSERT INTO USERROLES VALUES('Bruce','JBossAdmin','Role')
My configuration is JBoss 3.0.4/Tomcat 4.1.12 on Redhat Linux 7.3
security.policy file:
=================================
grant {
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "*", "getProtectionDomain";
permission java.io.FilePermission "/home/bcrawford/tools/-", "read,write,execute";
permission java.io.FilePermission "/home/bcrawford/tools/jboss-3.0.4_tomcat-4.1.12/server/default/-", "delete";
permission javax.security.auth.AuthPermission "*", "createLoginContext.jbossmq";
permission java.net.SocketPermission "*", "accept,connect,resolve";
permission org.apache.naming.JndiPermission "*";
permission java.util.logging.LoggingPermission "control";
};
grant Principal org.jboss.security.SimplePrincipal "Admin" {
// Allow everything for now
permission java.security.AllPermission;
};
grant Principal org.jboss.security.SimplePrincipal "Operator" {
permission com.transdyn.dynac.security.AccessPermission;
};
login-conf.xml file:
=================================
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<application-policy name = "client-login">
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</application-policy>
<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</application-policy>
<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
</login-module>
</application-policy>
<application-policy name = "FirebirdDBRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>
</application-policy>
<application-policy name = "JmsXARealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
</login-module>
</application-policy>
<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
<!-- Security domain for Dynac -->
<application-policy name = "dynac">
<login-module code="com.transdyn.dynac.security.DynacPasswordLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymousUser</module-option>
<module-option name = "principalsQuery">select Password from Users where Username=?</module-option>
<module-option name = "rolesQuery">select UserRole, 'Role' from UserRoles where Username=?</module-option>
</login-module>
</application-policy>
<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
jboss.xml file:
=================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS//EN" "http://www.jboss.org/j2ee/dtd/jboss.dtd">
<security-domain>java:/jaas/dynac</security-domain>
<enterprise-beans>
<ejb-name>UserSessionManager</ejb-name>
<jndi-name>ejb/UserSessionManager</jndi-name>
</enterprise-beans>
<resource-managers>
</resource-managers>
ejb-jar.xml file:
=================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
<ejb-jar >
No Description.
<display-name>Generated by XDoclet</display-name>
<enterprise-beans>
<!-- Session Beans -->
<![CDATA[Allows a user to login to and maintain a session with the Dynac application.]]>
<display-name>UserSessionManager Bean</display-name>
<ejb-name>UserSessionManager</ejb-name>
com.transdyn.dynac.session.UserSessionManagerHome
com.transdyn.dynac.session.UserSessionManager
<ejb-class>com.transdyn.dynac.session.UserSessionManagerEJB</ejb-class>
<session-type>Stateful</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>JBossAdmin</role-name>
<role-link>Admin</role-link>
</security-role-ref>
<security-identity>
Testing a EJB security id
<use-caller-identity >What</use-caller-identity>
</security-identity>
<!-- Entity Beans -->
</enterprise-beans>
<!-- Assembly Descriptor -->
<assembly-descriptor >
<security-role>
description not supported yet by ejbdoclet
<role-name>JBossAdmin</role-name>
</security-role>
<security-role>
description not supported yet by ejbdoclet
<role-name>Admin</role-name>
</security-role>
<security-role>
description not supported yet by ejbdoclet
<role-name>test</role-name>
</security-role>
<method-permission >
description not supported yet by ejbdoclet
<role-name>JBossAdmin</role-name>
description not supported yet by ejbdoclet
<ejb-name>UserSessionManager</ejb-name>
<method-name>*</method-name>
</method-permission>
<method-permission >
description not supported yet by ejbdoclet
<role-name>Admin</role-name>
<role-name>test</role-name>
<![CDATA[Called by the container to create a session bean instance.]]>
<ejb-name>UserSessionManager</ejb-name>
<method-intf>Home</method-intf>
<method-name>create</method-name>
<method-params>
</method-params>
</method-permission>
</assembly-descriptor>
</ejb-jar>