2 Replies Latest reply on Aug 20, 2003 2:55 PM by stupiddog

Cactus Testcases & JAAS Security

stupiddog Aug 17, 2003 4:19 PM

I have developed some EJBs that are slightly secured (at the moment, they accept any authenticated user). I also have some Apache Cactus testcases, which get copied as servlets into the web application.

My jboss/client/auth.conf looks like this:
some-config {
org.jboss.security.auth.spi.IdentityLoginModule required
principal=cactus
roles=Adressat,EreignisquellenAdministrator,SystemAdministrator;

org.jboss.security.ClientLoginModule required
password-stacking="useFirstPass"
;
};

InformMeDomain {
org.jboss.security.ClientLoginModule required;
};

other {
// Example client auth.conf for using the SRPLoginModule
// org.jboss.srp.jaas.SRPLoginModule required
// password-stacking="useFirstPass"
// principalClassName="org.jboss.security.SimplePrincipal"
// srpServerJndiName="SRPServerInterface"
// debug=true
// ;
// org.jboss.security.auth.spi.UsersRolesLoginModule required;

// jBoss LoginModule
org.jboss.security.ClientLoginModule required;
// password-stacking="useFirstPass";
// Put your login modules that need jBoss here
};

The EJBs are secured in ejb-jar.xml like this:
...
<method-permission>

<ejb-name>LokalerAdressat</ejb-name>
<method-name>*</method-name>

</method-permission>
...

The security domain is set in jboss.xml:

<security-domain>java:/jaas/InformMeDomain</security-domain>
<enterprise-beans>
...

<ejb-name>LokalerAdressat</ejb-name>
<jndi-name>LokalerAdressatRemote</jndi-name>
<local-jndi-name>LokalerAdressat</local-jndi-name>
<ejb-local-ref>
<ejb-ref-name>ejb/SequenzLocalHome</ejb-ref-name>
<local-jndi-name>SequenzLocal</local-jndi-name>
</ejb-local-ref>

...

My jboss/server/default/conf/login-conf.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd">

...
<application-policy name="client-login">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>

</application-policy>
...
<application-policy name="InformMeDomain">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
</application-policy>
...

In the same directory, I have set up users.properties and roles.properties.

In the testcase, I try to set up the connection like this:

public void setUp() throws Exception {

super.setUp();

// Anmeldung an JAAS
CallbackHandler handler = new MyHandler();
lc = new LoginContext("other", handler);
Subject subject;
try
{
// EXCEPTION GETS THROWN HERE:
lc.login();
subject = lc.getSubject();
log("authentication succeeded");
Iterator it = lc.getSubject().getPrincipals().iterator();
while(it.hasNext()) {
Object o = it.next();
System.out.println("principle: "+o.getClass().getName()+ " "+o);
}

}
catch(LoginException e)
{
log("authentication failed");
e.printStackTrace();
}
// DEBUG
InitialContext context = new InitialContext();
// Wer sind wir?

Object ref = context.lookup("LokalerAdressatRemote");
//In Home-Interface umwandeln
lokalerAdressatRemoteHome = (LokalerAdressatRemoteHome) PortableRemoteObject.narrow(ref, LokalerAdressatRemoteHome.class);
LokalerAdressatRemote lokalerAdressatRemote;
lokalerAdressatRemote = lokalerAdressatRemoteHome.create("vorname", "nachname", "passwort");

In the lc.login() line, the following exception occurs:

00:03:01,317 INFO [STDOUT] -- authentication failed
00:03:01,317 ERROR [STDERR] javax.security.auth.login.LoginException: Anmeldefehler: Alle Module werden ignoriert
00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
00:03:01,317 ERROR [STDERR] at java.security.AccessController.doPrivileged(Native Method)
00:03:01,327 ERROR [STDERR] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
00:03:01,337 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
00:03:01,337 ERROR [STDERR] at de.fernunihagen.informme.tests.cactus.TestLokalerAdressatTestClientCactus1.setUp(TestLokalerAdressatTestClientCactus1.java:92)

"Anmeldefehler: Alle Module werden ignoriert" seems to be a localized error message from the JDK and means "Login error: All modules were ignored".

What am I doing wrong?

Greetings,
Andreas Buschka

1. Re: Cactus Testcases & JAAS Security

stupiddog Aug 18, 2003 2:15 AM (in response to stupiddog)

I found out that if I make an application policy for "other" in the login.conf.xml, authentication works, but I get an authentication error (bad password for username=null) on the first EJB call. So there might be something wrong with the realm I guess?
Actions
2. Re: Cactus Testcases & JAAS Security

stupiddog Aug 20, 2003 2:55 PM (in response to stupiddog)

I have solved the problem. auth.conf is completely without use when it comes to authentication servlet -> ejb container. Instead, you have to use the entries in login-conf.xml in the server conf directory for both (!) servlet (client) and ejb container (server). so, after all, the important sections from my login-conf.xml are:


<application-policy name="client-login">

<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>

</application-policy>


<application-policy name="InformMeDomain">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />
</login-module>
Actions

Go to original post