Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not working
swatkat Oct 28, 2003 3:47 AMMigration Problem
Hello,
I am working on JBoss 3.2.1 and using Jetty as web-container
We have our application secured by BASIC auth-method and on accessing
the servlet on JBoss 3.2.1 + Jetty every thing is working perfectly fine, ie Basic Authentication
takes place as the browser prompts for the authentication dialogue box.
But while trying to migrate to JBoss 3.2.2 which comes integrated by default with Tomcat 4.1x,
the deployment is successful and the main context displays the welcome login page
But when i try to use the application which needs Authentication , the browser doesnt ask
for credentials , Browser DOES NOT prompt me with
the username/password dialogue box, and the EJB Container reports the authentication failure.
server.log
******************************************************************************
2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
...
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
...
at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
...
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:220)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
...
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
...
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:534)
2003-10-28 14:13:13,854 INFO [STDOUT] RemoteException : java.rmi.ServerException: EJBException:; nested exception is:
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
2003-10-28 14:13:13,870 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[SecureLoginUIServlet]: Servlet.service() for servlet SecureLoginUIServlet threw exception
java.lang.NullPointerException
at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:149)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
...
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
******************************************************************************
web.xml
******************************************************************************
<security-constraint>
<web-resource-collection>
<web-resource-name>servlet</web-resource-name>
Declarative security tests
<url-pattern>/PracticeVeterinary/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
Any user with a valid login
<role-name>ValidUser</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>example2</realm-name>
</login-config>
<security-role>
A user allowed to invoke echo methods
<role-name>Echo</role-name>
</security-role>
******************************************************************************
jboss-web.xml
******************************************************************************
<jboss-web>
<security-domain>java:/jaas/example2</security-domain>
....
</jboss-web>
******************************************************************************
login-conf.xml
******************************************************************************
<application-policy name = "example2">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/sscdb</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
</login-module>
</application-policy>
******************************************************************************
ejb-jar.xml
******************************************************************************
...
SYS.SecureLoginBean
<display-name>SecureLoginBean</display-name>
<ejb-name>SecureLoginBean</ejb-name>
SYS.ProblemDomain.SecureLoginHome
SYS.ProblemDomain.SecureLogin
<ejb-class>SYS.ProblemDomain.SecureLoginBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<resource-ref>
<res-ref-name>jdbc/sscdb</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<assembly-descriptor>
<security-role>
<role-name>SuperUser</role-name>
</security-role>
<security-role>
<role-name>ValidUser</role-name>
</security-role>
</assembly-descriptor>
...
******************************************************************************
Why does the above application work with Jboss 3.2.1 + Jetty and DOesnt work with
JBoss 3.2.2 + Tomcat.
It fails to produce an authentication dialog box (BASIC) auth when it is run on Jboss+Tomcat version
Any views ..?
Swatkat