3 Replies Latest reply on May 13, 2003 12:53 AM by yaz

    Strange error while testing the DatabaseServerLoginModule

    yaz

      Hi all,

      I use JBoss 3.0.2 and JBuilder 8, and I am newbie in JAAS subject. My task is to make a login to system with both authentification and authorization. I was looking for some solutions and have found that for authentification I need the DatabaseServerLoginModule, so I have created the necessary xml and config files as well as the very simple source code for testing the login.
      Unfortunately the code doesn't run correctly, it writes me a strange error:
      javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: DefaultDS not bound

      at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:110)

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:142)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:324)

      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

      at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

      at systemlogon.LoginAut.tryLogin(LoginAut.java:61)

      at systemlogon.Testing.main(Testing.java:22)

      I have tried (as it seemed to me logically) to replace "DefaultDS" with "OracleDS" in all config files, since I use the Oracle 8 database, but seems that something is wrong, maybe I should leave some "DefaultDS" strings somewhere? Can anyone help me and check what's going wrong?
      Thanks in advance,
      Yaz.

      ==== This is my source code for testing: ====

      try
      {
      LoginContext loginContext = new LoginContext(sName, new DBCallbackHandler(sUserID, sPassword));
      loginContext.login();
      return 0;
      } catch (LoginException ex)
      {
      ex.printStackTrace();
      return -3;
      }

      }



      class DBCallbackHandler implements CallbackHandler {
      private String login = null;
      private String password = null;

      public DBCallbackHandler(String login, String password) {
      this.login = login;
      this.password = password;
      }

      public void handle(Callback[] callbacks) throws
      java.io.IOException, UnsupportedCallbackException
      {
      for (int i = 0; i < callbacks.length; i++)
      {
      if (callbacks instanceof NameCallback)
      {
      NameCallback nc = (NameCallback) callbacks
      ;
      nc.setName(login);
      }
      else if (callbacks instanceof PasswordCallback)
      {
      PasswordCallback pc = (PasswordCallback) callbacks
      ;
      pc.setPassword(password.toCharArray());
      }
      else
      {
      throw new UnsupportedCallbackException(callbacks,
      "Unrecognized Callback");
      }
      }
      }
      }


      ===== And these are my config files: =====

      === mylogon.conf (for client) ===

      MyLogon {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required debug=true dbDriver="oracle.jdbc.driver.OracleDriver" dbURL="jdbc:oracle:thin:@myserv:1533:mmx1";
      };


      === login-config.xml ===

      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">




      <!-- Used by clients within the application server VM such as
      mbeans and servlets that access EJBs.
      -->

      <application-policy name = "MyLogon">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name = "dsJndiName">java:/OracleDS</module-option>
      <module-option name = "principalsQuery">SELECT password FROM person WHERE pers=?</module-option>
      <module-option name = "rolesQuery">select role,'Roles' FROM rolles WHERE pers=?</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxDS,name=OracleDS</module-option>
      </login-module>

      </application-policy>


      <application-policy name = "MyLogonDB">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
      <module-option name = "principal">root</module-option>
      <module-option name = "userName">root</module-option>
      <module-option name = "password">root</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxDS,name=OracleDS</module-option>
      </login-module>

      </application-policy>


      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
      </login-module>

      </application-policy>

      <!-- Security domains for testing new jca framework -->
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
      </login-module>

      </application-policy>

      <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "other">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>




      === oracle-service.xml ===

      <?xml version="1.0" encoding="UTF-8"?>

      <!-- ===================================================================== -->
      <!-- -->
      <!-- JBoss Server Configuration -->
      <!-- -->
      <!-- ===================================================================== -->



      <!-- ==================================================================== -->
      <!-- ConnectionManager setup for Oracle dbs -->
      <!-- Build jmx-api (build/build.sh all) and view for config documentation -->
      <!-- Thanks to Steven Coy -->
      <!-- ==================================================================== -->




      <!-- Include a login module configuration named OracleDbRealm.
      Update your login-conf.xml, here is an example for a
      ConfiguredIdentityLoginModule:

      .....

      -->

      <!--uncomment out this line if you are using the OracleDbRealm above -->
      MyLogonDB

      <depends optional-attribute-name="ManagedConnectionFactoryName">
      <!--embedded mbean-->


      OracleDS



      <config-property name="ConnectionURL" type="java.lang.String">jdbc:oracle:thin:@myserv:1533:mmx1</config-property>
      <config-property name="DriverClass" type="java.lang.String">oracle.jdbc.driver.OracleDriver</config-property>
      <!--set these only if you want only default logins, not through JAAS -->
      <config-property name="UserName" type="java.lang.String">root</config-property>
      <config-property name="Password" type="java.lang.String">root</config-property>




      <!--Below here are advanced properties -->
      <!--hack-->
      <depends optional-attribute-name="OldRarDeployment">jboss.jca:service=RARDeployment,name=JBoss LocalTransaction JDBC Wrapper



      <depends optional-attribute-name="ManagedConnectionPool">
      <!--embedded mbean-->


      0
      50
      5000
      15
      <!--criteria indicates if Subject (from security domain) or app supplied
      parameters (such as from getConnection(user, pw)) are used to distinguish
      connections in the pool. Choices are
      ByContainerAndApplication (use both),
      ByContainer (use Subject),
      ByApplication (use app supplied params only),
      ByNothing (all connections are equivalent, usually if adapter supports
      reauthentication)-->
      ByContainer



      <depends optional-attribute-name="CachedConnectionManager">jboss.jca:service=CachedConnectionManager

      <depends optional-attribute-name="JaasSecurityManagerService">jboss.security:service=JaasSecurityManager

      java:/TransactionManager

      <!--make the rar deploy! hack till better deployment-->
      jboss.jca:service=RARDeployer






      === standardjaws.xml (a part of) ===

      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE jbosscmp-jdbc PUBLIC
      "-//JBoss//DTD JBOSSCMP-JDBC 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/jbosscmp-jdbc_3_0.dtd">

      <!-- ===================================================================== -->
      <!-- -->
      <!-- Standard Jaws Configuration -->
      <!-- -->
      <!-- ===================================================================== -->

      <!-- $Id: standardjaws.xml,v 1.27.2.3 2002/06/27 19:54:12 dsundstrom Exp $ -->


      <!-- java:/OracleDS changed by JJ -->
      java:/OracleDS
      <type-mapping>Oracle8</type-mapping> <!-- changed by JJ -->
      false

      <default-entity>
      <create-table>true</create-table>
      <remove-table>false</remove-table>
      <tuned-updates>true</tuned-updates>
      <read-only>false</read-only>
      <time-out>300</time-out>
      <row-locking>false</row-locking>
      <read-ahead>false</read-ahead>
      </default-entity>

      <type-mappings>
      <type-mapping-definition>
      ......
      </type-mapping-definition>

      </type-mappings>



      === standardjbosscmp-jdbc.xml (a part of) ===

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jbosscmp-jdbc>

      <!-- ===================================================================== -->
      <!-- -->
      <!-- Standard JBossCMP-JDBC Configuration -->
      <!-- -->
      <!-- ===================================================================== -->

      <!-- $Id: standardjbosscmp-jdbc.xml,v 1.23.2.15 2002/07/14 20:01:35 sparre Exp $ -->

      <jbosscmp-jdbc>


      java:/OracleDS
      <datasource-mapping>Oracle8</datasource-mapping>

      <create-table>true</create-table>
      <remove-table>false</remove-table>
      <read-only>false</read-only>
      <time-out>300</time-out>
      <pk-constraint>true</pk-constraint>
      <fk-constraint>false</fk-constraint>
      <row-locking>false</row-locking>
      <preferred-relation-mapping>foreign-key</preferred-relation-mapping>
      <read-ahead>
      on-load
      <page-size>1000</page-size>
      <eager-load-group>*</eager-load-group>
      </read-ahead>
      <list-cache-max>1000</list-cache-max>


      <type-mappings>
      .....
      </type-mappings>
      </jbosscmp-jdbc>

        • 1. Re: Strange error while testing the DatabaseServerLoginModul
          haraldgliebe

          In mylogon.conf use the org.jboss.security.ClientLoginModule for client login.
          Note, that this will only associate current thread or VM with the passed principal/credentials and therefore will always succeed.
          When you access a protected resource (EJB) the security information will be checked on the server.

          Regards,
          Harald

          • 2. Re: Strange error while testing the DatabaseServerLoginModul
            yaz

            Thanks, but now, calling it from JSP, got another error.. What can be the reason for it?


            ERROR [STDERR] javax.security.auth.login.LoginException: java.lang.SecurityException:
            invalid authentication attempt, principal=null
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionMa
            ger2.java:707)
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConn
            tionManager2.java:531)
            at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allo
            teConnection(BaseConnectionManager2.java:812)
            at org.jboss.resource.adapter.jdbc.local.LocalDataSource.getConnection(LocalDataSource.jav
            102)
            at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLo
            nModule.java:96)
            at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModu
            .java:142)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:324)
            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
            at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
            at systemlogon.LoginAut.tryLogin(LoginAut.java:61)
            at systemlogon.SystemLogonMain.actionPerformed(SystemLogon.java:87)
            at nextapp.echo.AbstractButton.fireActionPerformed(AbstractButton.java:237)
            at nextapp.echoservlet.ui.AbstractButtonUI.clientAction(AbstractButtonUI.java:70)

            • 3. Re: Strange error while testing the DatabaseServerLoginModul
              yaz

              Hi all,
              It works! Although I had to make the following changes to make it working:

              1. Moved to jboss 3.2.1.
              2. Removed entry "managedConnectionFactoryName" from tag <application-policy name = "MyLogon"> in login-config.xml.
              3. Removed tag <application-policy name = "MyLogonDB"> in login-config.xml.
              4. Removed tag <security-domain>MyLogonDB</security-domain> in oracle-ds.xml.

              This means that I use only one application policy "MyLogon" which makes the connection to database and gets the principal and password. The second policy, which I have read about in some postings, makes an error here so it is forbidden.

              Yaz.