14 Replies Latest reply on Jul 8, 2003 2:58 PM by worthe

    DatabaseLogin help

    worthe

      We purchased the JBOSS documentation recently and I am still having some
      authentication trouble. I think I am missing something simple. I have the spi.UsersRolesLoginModule working, but can not get the DatabaseServerLoginModule to work.

      Specifically, the login seems to do something when I access the intro
      jsp page, but I can not login and I am not sure if it connects or what. I thought I turned on the log4j debugging by changing log4j:configuration debug value to true. But I do not get any additional info. Do I have to add a new appender or something? Here is all the info I get on the login attempt :

      12:20:35,374 INFO [MainDeployer] Deployed package:
      file:/opt/jboss-3.2.1_tomcat-4.1.24/server/default/deploy/mqosa.ear
      12:22:33,012 INFO [JaasSecurityManagerService] Created
      securityMgr=org.jboss.security.plugins.JaasSecurityManager@198a654
      12:22:33,069 INFO [JaasSecurityManagerService] setCachePolicy,
      c=org.jboss.util.TimedCachePolicy@1140db
      12:22:33,114 INFO [JaasSecurityManagerService] Added MQOSA_DB,
      org.jboss.security.plugins.SecurityDomainContext@b91602 to map

      I am able to change database contents elsewhere using some CMP beans, so
      I don't think the connection is a problem. However, I always go to the
      failed login page. Is there a way to debug this, or can you think what
      I am doing wrong?

      I have configured the jboss.xml as follows :
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      <form-login-config>
      <form-login-page>/jsp/login.jsp</form-login-page>
      <form-error-page>/jsp/authenticationError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>JBossAdmin</role-name>
      </security-role>

      and the jboss-web.xml as follows:
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <security-domain>java:/jaas/MQOSA_DB</security-domain>
      </jboss-web>

      and the server/deploy/conf/login_config.xml as follows:
      <application-policy name = "MQOSA_DB">

      <login-module
      code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required" >
      <module-option name = "dsJndiName">WalterDS</module-option>
      <module-option name = "principalsQuery">select password from
      mqosa_user where login=?</module-option>
      <module-option name = "rolesQuery">select role, 'Roles' from
      role_user where login=?</module-option>
      </login-module>

      </application-policy>

      I have spent a few days on this and would appreciate any help. The
      users.properties/roles.properties login works, but we need it to be
      dynamic.



      Thanks for any help,

      Peter Worthing

        • 1. Re: DatabaseLogin help
          haraldgliebe

          Hi Peter,

          the dsJndiName option must have the 'java:/' prefix. Could you try again with

          <module-option name = "dsJndiName">java:/WalterDS</module-option>

          Regards,
          Harald

          • 2. Re: DatabaseLogin help
            worthe

            Thanks, but it still does not work and I see no new error messages.
            How exactly do you set up the error logging?

            I thought I turned on the log4j debugging by changing log4j:configuration debug value value at the top to true. But I do not get any additional info. Do I have to add a new appender or something?

            Peter

            • 3. Re: DatabaseLogin help





              and remove the threshold param from the (file) appender

              Hth
              Peter

              • 4. Re: DatabaseLogin help
                haraldgliebe

                Change the Threshold for the console to TRACE, restrict everything under "org" to INFO and enable TRACE for org.jboss.web and org.jboss.security.



                <param name="Threshold" value="TRACE"/>
                ...















                Regards
                Harald

                • 5. Re: DatabaseLogin help
                  worthe

                  thank you both, the errors are coming in now!

                  • 6. Re: DatabaseLogin help
                    worthe

                    I am getting a wrong password error and I know (from the Oracle database) that it is correct. I tried the trim function to no avail.

                    1. Is there a way to print out the password in the select statement, so that it shows up in the debug messages?
                    or
                    2. Is it an encryption problem? I did not specify an encryption in my setup and I am trying to do simple testing with straight text for now!

                    Peter

                    • 7. Re: DatabaseLogin help
                      haraldgliebe

                      Hi Peter,

                      1. Passwords are not logged for security reasons. To see what password is read from the database you could either get the sources and use a debugger or subclass the DatabaseServerLoginModule and overwrite
                      protected boolean validatePassword(String inputPassword, String expectedPassword)
                      and configure this class in login-config.xml

                      2. Unless you have a "hashAlgorith" module-option set in your configuration, the DB login module assumes clear text passwords in the database, so it should not be an encryption issue.

                      Harald

                      • 8. Re: DatabaseLogin help - bind variable does not exist
                        worthe


                        somehow today after I restarted jboss, it seems to accept the password?
                        now I am stuck with the following error during authentication :

                        12:48:38,140 INFO [Engine] Authenticator[/mqosa]: Security checking request POST /mqosa/jsp/j_security_check
                        12:48:38,140 INFO [Engine] Authenticator[/mqosa]: Checking for reauthenticate in session StandardSession[08B1D793134D433FFC8F190EBF857C04]
                        12:48:38,142 INFO [Engine] Authenticator[/mqosa]: Authenticating username 'alex'
                        12:48:38,279 ERROR [DatabaseServerLoginModule] SQL failure
                        java.sql.SQLException: ORA-01006: bind variable does not exist

                        at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
                        at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:289)
                        at oracle.jdbc.ttc7.Oall7.receive(Oall7.java:573)
                        at oracle.jdbc.ttc7.TTC7Protocol.doOall7(TTC7Protocol.java:1891)

                        Anyone have any ideas?


                        Pete

                        • 9. Re: DatabaseLogin help
                          worthe

                          not exatly sure, but it looks like it was related to the roles query after the password was authenticated. I changed it and it looks a little better.
                          Now I get :

                          13:07:14,382 DEBUG [MQOSA_DB3] Login failure
                          javax.security.auth.login.LoginException: No LoginModules configured for MQOSA_DB3
                          at javax.security.auth.login.LoginContext.init(LoginContext.java:189)


                          Which does not make sense to me because I thought that this whole time I have been trying to get the DatabaseServerLoginModule to work?

                          Peter

                          • 10. Re: DatabaseLogin help
                            worthe

                            looks like an xml typo in the login-config.xml

                            • 11. Re: DatabaseLogin help - bind variable does not exist
                              haraldgliebe

                              > 12:48:38,279 ERROR [DatabaseServerLoginModule] SQL failure java.sql.SQLException: ORA-01006: bind variable does not exist

                              Are you still using the same queries as in your first message?
                              Could you post the output of "desc mqosa_user" and "desc role_user" in SQL*Plus?

                              Harald

                              • 12. Re: DatabaseLogin help
                                worthe

                                side note: extending the validatePassword() method worked great (even though restarting jboss was probably the answer).. Thanks.

                                I am still getting the bind exception above.
                                I think it is related to the roles query
                                "select name, 'Roles' from role where name=JBossAdmin"

                                When I try this query in SqlPlus, I get :
                                NAME
                                --------------------------------------------------------------------------------'ROLE
                                -----
                                JBossAdmin
                                Roles

                                The formatting looks a little funny, but I have read that I have to have the Roles in there?
                                I think that this might be the problem?
                                I will try adding a separate field to the table which always has Roles in it. Other than that, I am stuck?

                                • 13. Re: DatabaseLogin help
                                  haraldgliebe

                                  > "select name, 'Roles' from role where name=JBossAdmin"
                                  >

                                  Is this the configured query? In that case you would always get the name as role?

                                  > I will try adding a separate field to the table which
                                  > always has Roles in it. Other than that, I am
                                  > stuck?
                                  >

                                  Instead of adding a column to the table you might also create a view to get the needed 'Roles' value:

                                  create view roleview as select login, role, 'Roles' as rolegroup from role;

                                  and then use

                                  select role, rolegroup from roleview where login = ?

                                  as your rolesQuery.

                                  Regards,
                                  Harald

                                  • 14. Re: DatabaseLogin help
                                    worthe

                                    Thank you for your response!
                                    Here is whay I think I have learned from the experience :

                                    1. It looks like you have to have the "where username=?" condition. I was trying to simplify and just get it running quickly with no roles setup.

                                    2. Also, the [ ,'Roles' ] adds a column to the result but the title seems to get altered. The title becomes [ 'Roles ] , with a quote on the start. Changing it to [ , 'Roles' as RoleGroup ] explicitly gives it a valid title.