2 Replies Latest reply on Nov 13, 2003 6:14 AM by alextalib

    AuthenticationManager, SecurityAssociation and JBossWeb

    gary.udstrand
    gary.udstrand May 28, 2003 4:12 PM

      I have a servlet that I am using to authenticate a user. The servlet manages to authenticate the user just fine, however whenever I attempt to retrieve the prinicpal in a jsp it is null.

      I was previously using the DatabaseServerLoginModule and everything was working just fine. I am aware of the limitation of Jboss/JbossWeb and the resultant null principal in unsecure pages. The pages I am having problems with is secure.

      The servlet code is below, can someone tell me why I am not able to find a valid principal in the session?

      public class SecurityAction extends ActionBase {
      public ActionForward performAction(ActionMapping mapping, ActionForm form,
      HttpServletRequest request, HttpServletResponse response)
      throws Exception {

      String username = request.getParameter("j_username");
      String userpassword = request.getParameter("j_password");
      Log.debug(this, "username : " + username);
      Log.debug(this, "userpassword : " + userpassword);
      if ( authenticate(username, userpassword) ) {
      return (mapping.findForward("success"));
      } else {
      return (mapping.findForward("error"));
      }

      }

      public boolean authenticate(String pUsername, String pUserPassword) {
      try {
      InitialContext iniCtx = new InitialContext();
      AuthenticationManager securityMgr = (AuthenticationManager)
      iniCtx.lookup("java:comp/env/security/securityMgr");
      SimplePrincipal principal = new SimplePrincipal(pUsername);
      if ( securityMgr.isValid(principal, pUserPassword) ) {
      // Indicate the user is allowed access to the web content...
      // Propagate the user info to JBoss for any calls into made by the servlet
      SecurityAssociation.setPrincipal(principal);
      SecurityAssociation.setCredential(pUserPassword.toCharArray());
      RealmMapping securityRealmMgr = (RealmMapping)
      iniCtx.lookup("java:comp/env/security/realmMapping");
      Log.debug(this, "Roles : " + securityRealmMgr.getUserRoles(principal));
      } else {
      // Deny access...
      return false;
      }
      } catch (NamingException ne) {
      ne.printStackTrace();
      return false;
      }
      return true;
      }
      }

      • 2363 Views
      • Tags:
        • 1. Re: AuthenticationManager, SecurityAssociation and JBossWeb
          sradford
          sradford Nov 8, 2003 11:30 AM (in response to gary.udstrand)

          I'm having the same problem. Anyone have the answer?

          To me it seems that I'm losing the Principal as it is not being propagated during a change in Thread.

          - And I can't test this theory as the SecurityAssocation class has no unsetServer() property.

            • Actions
          • 2. Re: AuthenticationManager, SecurityAssociation and JBossWeb
            alextalib
            alextalib Nov 13, 2003 6:14 AM (in response to gary.udstrand)


            I am am getting a similar problem, I can login using FORM based login which works fine, the principle is propagated to the ejb layer. On subsequent calls however I end up with a null principle which means I can't properly call ejb's from the web container.

            I am using;
            - jboss-3.2.2 with jbossweb-tomcat41.sar
            - using security securityfilter-1.1 with com.aegeus.securityfilter.JBossRealmAdapter
            - DatabaseServerLoginModule to mysql database

            If I swap out the jbossweb-tomcat41.sar and use jbossweb-jetty.sar the authentication mostly works but the problem still appears every now and then. The pages I am trying to access are secured using security filters mechanism.

            *************************** Log Snippet from initial login ******************************
            2003-11-13 01:20:25,729 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/tiles/default/footer.jsp'.
            2003-11-13 01:20:25,739 DEBUG [org.apache.struts.tiles.TilesRequestProcessor] 'page.index' - processed as definition
            2003-11-13 01:20:32,579 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:name=rolesQuery, value=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            name=principalsQuery, value=select password from entity where Name=?
            name=password-stacking, value=useFirstPass
            name=dsJndiName, value=java:/MySqlDS

            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/MySqlDS
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=select password from entity where Name=?
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
            2003-11-13 01:20:33,099 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'alex' authenticated, loginOk=true
            2003-11-13 01:20:33,099 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
            2003-11-13 01:20:33,099 TRACE [org.jboss.security.plugins.JaasSecurityManager.JDBCRealm] updateCache, subject=Subject:
            Principal: alex
            Principal: Roles(members:student)

            2003-11-13 01:20:33,099 TRACE [com.aegeus.securityfilter.JBossRealmAdapter] authenticate( alex, ****): alex
            2003-11-13 01:20:33,149 DEBUG [org.apache.struts.util.ModuleUtils] Get module name for path /index.html
            2003-11-13 01:20:33,149 DEBUG [org.apache.struts.util.ModuleUtils] Module name found: default
            2003-11-13 01:20:33,149 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'GET' for path '/index'
            .
            .
            .
            .
            *********** log snippet from a subsequent call where the web container makes a call to the ejb layer ******************
            2003-11-12 18:41:37,022 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/tiles/default/loginform.jsp'.
            2003-11-12 18:41:37,032 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/tiles/default/work.jsp'.
            2003-11-12 18:41:37,042 TRACE [au.com.lavaconsulting.core.ServiceLocator] getRemoteService(10 [education/RemoteStudentFacadeEJB]):
            2003-11-12 18:41:37,042 TRACE [au.com.lavaconsulting.core.ServiceLocator] getRemoteHome(10 [education/RemoteStudentFacadeEJB]):
            2003-11-12 18:41:37,042 TRACE [au.com.lavaconsulting.education.impl.PersonFacadeEJBBean] setSessionContext() org.jboss.ejb.StatefulSessionEnterpriseContext$StatefulSessionContextIm
            pl@efc0ee
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:name=rolesQuery, value=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            name=principalsQuery, value=select password from entity where Name=?
            name=password-stacking, value=useFirstPass
            name=dsJndiName, value=java:/MySqlDS

            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/MySqlDS
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=select password from entity where Name=?
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=null
            2003-11-12 18:41:37,052 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort
            2003-11-12 18:41:37,052 DEBUG [org.jboss.security.plugins.JaasSecurityManager.JDBCRealm] Login failure
            javax.security.auth.login.FailedLoginException: No matching username found in Principals
            at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:102)
            at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:150)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:324)
            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)



              • Actions