10 Replies Latest reply on Feb 12, 2004 9:55 PM by jeeads

    SRP Authentication and Interceptors

    jeeads

      JBOSS 3.2.3: I am using SRP authentication and a hand rolled SRPDataBaseVerifierStoreServiceMBean which uses DES to encypt the passwords in the database using a secret key. I monitor the LogInterceptor and none of the login or logout calls through the SRP login module are ever picked up? I know that the interceptors are called EJB interceptors but I thought all RMI calls passed through them? Can anyone tell me how I can intercept the logins and logouts so I can feed my activity log? I have written an interceptor that logs all calls, to and from the container, to my activity log, which is in a database. All of the calls to my session facades are caught but not the logins and logouts? The intent is to have a configurable activity log that will allow the administrator to log selective activity.

      Thanks
      Jerry Eads

        • 1. Re: SRP Authentication and Interceptors
          starksm64

          The EJB interceptors are specific to the ejb container. To introduce interceptors into the SRP layer, use the detached invoker framework to create a custom proxy with your own interceptors:


          < !-- Expose the SRP service interface via a custom JRMP proxy -->
          < mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory"
          name="jboss.security.tests:service=SRP/JRMP-Proxy">
          < !-- The SRP service mbean name -->
          < attribute name="InvokerName">jboss.security.tests:service=SRPService< /attribute>
          < attribute name="ExportedInterface">org.jboss.security.srp.SRPRemoteServerInterface< /attribute>
          < attribute name="JndiName">srp-test-jrmp/SRPServerInterface< /attribute>
          < attribute name="ClientInterceptors">
          < interceptors>
          < interceptor>org.jboss.proxy.ClientMethodInterceptor< /interceptor>
          < !-- Add your interceptor(s) here -->
          < interceptor>org.jboss.invocation.InvokerInterceptor< /interceptor>
          < /interceptors>
          < /attribute>
          < /mbean>

          • 2. Re: SRP Authentication and Interceptors
            jeeads

            Scott,
            After updating and adding the xml example to my jboss-service.xml in the server/ default/conf directory.:
            <!-- =========================================================== -->
            <!-- SRP Interceptor -->
            <!-- =========================================================== -->
            <!-- Expose the SRP service interface via a custom JRMP proxy -->
            < mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory"
            name="jboss.security.tests:service=SRP/JRMP-Proxy">
            <!-- The SRP service mbean name -->
            < attribute name="InvokerName">Security:service=SRPService
            < /attribute>
            < attribute name="ExportedInterface">
            org.jboss.security.srp.SRPRemoteServerInterface
            < /attribute>
            < attribute name="JndiName">srp-test-jrmp/SRPServerInterface
            < /attribute>
            < attribute name="ClientInterceptors">
            < interceptors>
            < interceptor>
            org.jboss.proxy.ClientMethodInterceptorHA
            < /interceptor>
            <!--
            com.genecodes.jboss.interceptors.SRPInterceptor
            -->
            < interceptor>
            org.jboss.invocation.InvokerInterceptor
            < /interceptor>
            < /interceptors>
            < /attribute>
            < /mbean>


            Notice: my interceptor is commented out
            I received the following error:

            2004-02-11 15:30:57,421 INFO [org.jboss.deployment.scanner.URLDeploymentScanner] Started jboss.deployment:type=DeploymentScanner,flavor=URL
            2004-02-11 15:30:57,546 INFO [org.jboss.deployment.MainDeployer] Deployed package: file:/C:/jboss-3.2.3_tomcat-4.1.29/server/default/conf/jboss-service.xml
            2004-02-11 15:30:57,546 ERROR [org.jboss.system.server.Server] Root deployment has missing dependencies; continuing
            Incomplete Deployment listing:
            Packages waiting for a deployer:

            Incompletely deployed packages:

            MBeans waiting for classes:

            MBeans waiting for other MBeans:
            [ObjectName: jboss.security.tests:service=SRP/JRMP-Proxy
            state: FAILED
            I Depend On:
            Depends On Me:
            org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute: name=ClientInterceptors value=[interceptors: null]
            on mbean jboss.security.tests:service=SRP/JRMP-Proxy; - nested throwable: (java.lang.ClassNotFoundException: No ClassLoaders found for:
            org.jboss.proxy.ClientMethodInterceptorHA)]
            at org.jboss.deployment.MainDeployer.checkIncompleteDeployments(MainDeployer.java:1135)
            at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:608)
            at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:589)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:324)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
            at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
            at $Proxy5.deploy(Unknown Source)
            at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:384)
            at org.jboss.system.server.ServerImpl.start(ServerImpl.java:291)
            at org.jboss.Main.boot(Main.java:150)
            at org.jboss.Main$1.run(Main.java:395)
            at java.lang.Thread.run(Thread.java:534)

            The jbossha.jar is in the server/default/lib directory and the ClientMethodInterceptorHA class is in the jar.
            If I comment out the ClientMethodInterceptorHA interceptor I get a null
            pointer exception when loading the jboss-service.xml? This is the first
            time I have tried JRMP any ideas what's up?

            Thanks

            • 3. Re: SRP Authentication and Interceptors
              starksm64

              The org.jboss.proxy.ClientMethodInterceptorHA was incorrect and I have edited the original post to use the correct org.jboss.proxy.ClientMethodInterceptor.

              • 4. Re: SRP Authentication and Interceptors
                jeeads

                Scott,
                On line 126 of the JRMPProxyFactory.java code it is looking for a target
                which is not defined in the deployment descriptor? Without the target we get the NullPointerException. Should the target be the Security:service=SRPService that I have defined in the security section of the Jboss-service.xml? That section of the xml has a depends that directs the security service to my SRPDatabaseVerifierStoreService mbean. Using jboss.security.tests:service=SRPService as the invoker
                returns with an invoker not found message?

                Thanks

                • 5. Re: SRP Authentication and Interceptors
                  starksm64

                  The TargetName should be the SRP service, the InvokerName should be the detached invoker service handling the transport. For RMI/RJMP it should be:

                  < !-- Expose the SRP service interface via a custom JRMP proxy -->
                  < mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory"
                  name="jboss.security.tests:service=SRP/JRMP-Proxy">
                  < attribute name="InvokerName">jboss:service=invoker,type=jrmp< /attribute>
                  < !-- The SRP service mbean name -->
                  < attribute name="TargetName">jboss.security.tests:service=SRPService< /attribute>
                  < attribute name="ExportedInterface">org.jboss.security.srp.SRPRemoteServerInterface< /attribute>
                  < attribute name="JndiName">srp-test-jrmp/SRPServerInterface< /attribute>
                  < attribute name="ClientInterceptors">
                  < interceptors>
                  < interceptor>org.jboss.proxy.ClientMethodInterceptor< /interceptor>
                  < !-- Add your interceptor(s) here -->
                  < interceptor>org.jboss.invocation.InvokerInterceptor< /interceptor>
                  < /interceptors>
                  < /attribute>
                  < /mbean>

                  • 6. Re: SRP Authentication and Interceptors
                    jeeads

                    Scott,
                    My jboss-service.xml is setup like this:
                    < !-- ==========================================================-- >
                    < !-- Security -- >
                    < !-- ========================================================= -- >
                    < mbean code="org.jboss.security.plugins.SecurityConfig"
                    name="jboss.security:service=SecurityConfig">
                    < attribute
                    name="LoginConfig">jboss.security:service=XMLLoginConfig
                    < /attribute>
                    < /mbean>
                    < mbean code="org.jboss.security.auth.login.XMLLoginConfig"
                    name="jboss.security:service=XMLLoginConfig">
                    < attribute
                    name="ConfigResource">login-config.xml
                    < /attribute>
                    < /mbean>

                    < !-- JAAS security manager and realm mapping -- >
                    < mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
                    name="jboss.security:service=JaasSecurityManager">
                    < attribute name="SecurityManagerClassName">
                    org.jboss.security.plugins.JaasSecurityManager
                    < /attribute>
                    < /mbean>
                    < mbean code="com.synapps.jmx.jaas.srp.SRPDatabaseVerifierStoreService"
                    name="Security:name=GCSecurityService">
                    < attribute
                    name="JndiName">srp/GCVerifierStore
                    < /attribute>
                    < attribute
                    name="DsJndiName">java:/MSSQLServer2000MetaData
                    < /attribute>
                    < !--attribute
                    name="PasswordQuery">SELECT password FROM users WHERE userid=?
                    < /attribute-->
                    < attribute
                    name="PasswordQuery">SELECT password,privatekey from users,password
                    WHERE users.active=1 AND users.locked=0 AND users.userid=? AND
                    password.id=users.passwordid
                    < /attribute>
                    < /mbean>

                    < mbean code="org.jboss.security.srp.SRPService"
                    name="Security:service=SRPService">
                    < attribute
                    name="VerifierSourceJndiName">srp/GCVerifierStore
                    < /attribute>
                    < attribute
                    name="AuthenticationCacheJndiName">srp/AuthenticationCache
                    < /attribute>
                    < attribute
                    name="AuthenticationCacheTimeout">154395000
                    < /attribute>
                    < attribute
                    name="JndiName">srp/SRPServerInterface
                    < /attribute>
                    < attribute
                    name="ServerPort">0
                    < /attribute>
                    < depends>Security:name=GCSecurityService< /depends>
                    < /mbean>
                    < !-- ========================================================= -- >
                    < !-- SRP Interceptor -->
                    < !-- ========================================================= -- >
                    < !-- Expose the SRP service interface via a custom JRMP proxy -- >
                    < !--
                    The JRMP invoker proxy configuration for the InvokerAdaptorService
                    -- >
                    < mbean code="org.jboss.invocation.jrmp.server.JRMPProxyFactory"
                    name="jboss.security.tests:service=SRP/JRMP-Proxy">
                    < attribute
                    name="InvokerName">jboss:service=invoker,type=jrmp
                    < /attribute>
                    < attribute
                    name="TargetName">jboss.security.tests:service=SRPService
                    < /attribute>
                    < attribute
                    name="JndiName">srp-test-jrmp/SRPServerInterface
                    < /attribute>
                    < attribute
                    name="ExportedInterface">org.jboss.security.srp.SRPRemoteServerInterface
                    < /attribute>
                    < attribute name="ClientInterceptors">
                    < interceptors>
                    < interceptor>
                    org.jboss.proxy.ClientMethodInterceptor
                    < /interceptor>
                    < interceptor>
                    com.genecodes.jboss.interceptors.SRPInterceptor
                    < /interceptor>
                    < interceptor>
                    org.jboss.invocation.InvokerInterceptor
                    < /interceptor>
                    < /interceptors>
                    < /attribute>
                    < /mbean>

                    When I logon to the container through SRP, I am not seeing the logging that my interceptor should log? This is very new to me am I missing something? My interceptor uses the same frame work as the securityinterceptor, mainly just an invoke method. In the invoke I am
                    logging the method and argurments.

                    Thanks

                    • 7. Re: SRP Authentication and Interceptors
                      starksm64

                      The proxy interceptor runs in the clien vm with the proxy code. To insert an inceptor on the server side you need to deploy the SRPService as an XMBean and add an interceptor. See the admin/devel guide or the testsuite for examples.

                      • 8. Re: SRP Authentication and Interceptors
                        jeeads

                        Scott,
                        We do have a document license with JBoss, however, our latest update for the subscription was January 2003, do I need to update my documentation? The Admin version I have has much on MBeans but nothing on XMBeans?

                        Thanks

                        • 9. Re: SRP Authentication and Interceptors
                          starksm64

                          The last update of the subscription content was jan 2004 so your way out of date. See the testsuite/src/resource/jmx/interceptors and related tests for examples in the codebase.

                          • 10. Re: SRP Authentication and Interceptors
                            jeeads

                            Thanks much for all of you assistance.

                            Jerry