6 Replies Latest reply on May 27, 2003 4:09 AM by hduijn

    Another DatabaseServerLoginModule problem

    hduijn

      Hi,

      I'm trying to do an database authentication against an MS SQL2000 database. I did set up the databaseconnection en configured the login-config.xml like this

      <application-policy name = "facturatie">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required" >
      <module-option name="dsJndiName">java:/MSSQLDS</module-option>
      <module-option name="principalsQuery">select log_password from loginusers where log_name=?</module-option>
      <module-option name="rolesQuery">select logrol_role, 'Roles' from loginroles where logrol_name=?</module-option>
      </login-module>

      </application-policy>

      While trying to connect to the application the dialog pops up and the following happens:
      1. filling in a wrong user and/or password the dialog reappears as it should. The console gives a correct message about this.
      2. Filling in the right user/password, an 403 error appears telling me that the access is denied.

      From this i know that the connection to the database works fine and that the queries are OK, otherwise the console would have told me. Reading this forum a noticed a similar problem that was caused by the result from the rolesQuery where the second column did not return 'Roles'. In the above query this is hard coded so that should not be the problem.

      Does anyone have a suggestion why this happens?

      Hans

        • 1. Re: Another DatabaseServerLoginModule problem

          Did you refer to the 'facturatie' security domain in the jboss-web.xml and is this file packaged correctly in your war?

          If this doesn't help, turn on debug tracing for the auth.spi modules and check the log for more info that might help you (or us helping you ;-)

          Hth
          Peter

          • 2. Re: Another DatabaseServerLoginModule problem
            hduijn

            Hi Peter,

            My jboss-web.xml contains:

            <jboss-web>
            <security-domain>java:/jaas/facturatie</security-domain>
            </jboss-web>

            When I use the UsersRolesLoginModule like this...

            <application-policy name = "facturatie">

            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
            flag = "required" />

            </application-policy>

            ...all works fine. I can logging based on the info in the users- and roles.properties files. So the domain stuff is working.

            Turning on the TRACE level doesn't produce any output ?!?! I added the following to the log4j.xml:





            ...and the console says...

            log4j: Retreiving an instance of org.apache.log4j.Logger.
            log4j: Setting [org.jboss.security.auth.spi] additivity to [true].
            log4j: Level value for org.jboss.security.auth.spi is [TRACE].
            log4j: Desired Level sub-class: [org.jboss.logging.XLevel]

            ...however, no output concerning logging appears in the console. Any idea where things go wrong?

            Hans

            • 3. Re: Another DatabaseServerLoginModule problem

              Hans,

              Your settings (jboss-web.xml, login-conf.xml) look fine to me. I've no idea why UsersRolesLogin is working and DbLogin is not.

              However, the fact that turning TRACE level doesn't produce any output seems like a configuration error to me. If i run a simple test, i even get debug output without adding the trace-level stuff. So i suggest you check your log4j settings. Is there a threshold set on the console appender that is blocking the debug and trace messages?

              Peter

              • 4. Re: Another DatabaseServerLoginModule problem
                hduijn

                Peter,

                There was an 'INFO' treshold. I removed it and the console produced the following output:

                16:23:04,080 INFO [JaasSecurityManagerService] Created securityMgr=org.jboss.se
                curity.plugins.JaasSecurityManager@6dbe39
                16:23:04,080 DEBUG [facturatie] CachePolicy set to: org.jboss.util.TimedCachePol
                icy@639bf1
                16:23:04,080 INFO [JaasSecurityManagerService] setCachePolicy, c=org.jboss.util
                .TimedCachePolicy@639bf1
                16:23:04,090 INFO [JaasSecurityManagerService] Added facturatie, org.jboss.secu
                rity.plugins.SecurityDomainContext@131579 to map
                16:23:04,260 TRACE [DatabaseServerLoginModule] initialize
                16:23:04,260 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndi
                Name=java:/MSSQLDS
                16:23:04,260 TRACE [DatabaseServerLoginModule] principalsQuery=select log_passwo
                rd from loginusers where log_name=?
                16:23:04,260 TRACE [DatabaseServerLoginModule] rolesQuery=select logrol_role, 'R
                oles' from loginroles where logrol_name=?
                16:23:04,270 TRACE [DatabaseServerLoginModule] login
                16:23:04,280 TRACE [DatabaseServerLoginModule] Authenticating as unauthenticated
                Identity=null
                16:23:04,420 DEBUG [IdleRemover] internalRegisterPool: registering pool with int
                erval 900000 old interval: 9223372036854775807
                16:23:04,420 DEBUG [IdleRemover] internalRegisterPool: about to notify thread: o
                ld next: 1053959434420, new next: 1053959434420
                16:23:04,420 DEBUG [LocalManagedConnectionFactory] Using properties: {user=sainv
                , password=invoice}
                16:23:04,420 DEBUG [LocalManagedConnectionFactory] Checking driver for URL: jdbc
                :microsoft:sqlserver://ws000030:1433;DatabaseName=invoicing
                16:23:04,420 DEBUG [LocalManagedConnectionFactory] Driver not yet registered for
                url: jdbc:microsoft:sqlserver://ws000030:1433;DatabaseName=invoicing
                16:23:04,470 DEBUG [LocalManagedConnectionFactory] Driver not yet registered for
                url: jdbc:microsoft:sqlserver://ws000030:1433;DatabaseName=invoicing
                16:23:04,571 DEBUG [LocalManagedConnectionFactory] Driver already registered for
                url: jdbc:microsoft:sqlserver://ws000030:1433;DatabaseName=invoicing
                16:23:08,466 TRACE [DatabaseServerLoginModule] abort
                16:23:30,087 TRACE [DatabaseServerLoginModule] initialize
                16:23:30,087 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndi
                Name=java:/MSSQLDS
                16:23:30,087 TRACE [DatabaseServerLoginModule] principalsQuery=select log_passwo
                rd from loginusers where log_name=?
                16:23:30,087 TRACE [DatabaseServerLoginModule] rolesQuery=select logrol_role, 'R
                oles' from loginroles where logrol_name=?
                16:23:30,087 TRACE [DatabaseServerLoginModule] login
                16:23:30,147 TRACE [DatabaseServerLoginModule] User 'hduijn' authenticated, logi
                nOk=true
                16:23:30,147 TRACE [DatabaseServerLoginModule] commit, loginOk=true

                ...telling me that the logging is OK. Still my browser gives an 403 error (Access to the requested resource has been denied).

                Any other idea?

                Hans

                • 5. Re: Another DatabaseServerLoginModule problem

                  No, I'm puzzled.

                  There is one thing i'm missing in your trace, and that is logging from the JBossUserRealm, e.g.
                  DEBUG [JBossUserRealm#your-realm] authenticated: john
                  etc.
                  This is the org.jboss.jetty.security.JBossUserRealm log category, please check your log settings again.
                  Just looking at the stack trace, i'd say there is something wrong with the security defs in web.xml or that your servlet/jsp is behaving 'funny' - if it is not that you tested it with the users-roles module and got it working. Are you sure you didn't change more things between this two tests?

                  I'd suggest you attach your web.xml as well (you can attach files to your posts, i forgot how ;-).
                  Btw, which JBoss version are you using?

                  Regards,
                  Peter

                  • 6. Re: Another DatabaseServerLoginModule problem
                    hduijn

                    Oeps, my fault,

                    Just mentioning the web.xml was enough. I put a constraint on the security like this:

                    <security-constraint>
                    <web-resource-collection>
                    <web-resource-name>HtmlAdaptor</web-resource-name>
                    An example security config that only allows users with the
                    role InvAdmin to access the 'facturatie' web application

                    <url-pattern>/*</url-pattern>
                    <http-method>GET</http-method>
                    <http-method>POST</http-method>
                    </web-resource-collection>
                    <auth-constraint>
                    <role-name>InvAdmin</role-name>
                    </auth-constraint>
                    </security-constraint>

                    But forgot to fill in this role 'InvAdmin' in the users database row. So, the JBoss server acted as it should. I was looking in the wrong direction but you helped me by mentioning the web.xml.

                    Thanks many times, problem solved.

                    Hans