5 Replies Latest reply on Jun 1, 2004 11:00 AM by eelco69

    cannot get multiple realms to work with 3.2 (works well in 3

    eelco69

      Hello,

      I have searched all forums, haven't been able to find something about my problem. I have multiple websites in production running on a 3.0.7 JBoss Server. Everything works fine. However, I am now trying to get the same websites running under 3.2. Now something weird happens: The first realm I enter everything is well. The second realm however, gets a null principal. Here is the configuration:

      oracle-ds file:

      <local-tx-datasource>
      <jndi-name>x1_datasource</jndi-name>
      <connection-url>jdbc:oracle:thin:@(description=(address=(host=myHost)(protocol=tcp)(port=1521))(connect_data=(SERVICE_NAME=mySid)))</connection-url>
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      <user-name>x1</user-name>
      xxxxxx
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      </local-tx-datasource>
      <local-tx-datasource>
      <jndi-name>x2_datasource</jndi-name>
      <connection-url>jdbc:oracle:thin:@(description=(address=(host=myHost)(protocol=tcp)(port=1521))(connect_data=(SERVICE_NAME=mySid)))</connection-url>
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      <user-name>x2</user-name>
      xxxxx
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      </local-tx-datasource>
      <local-tx-datasource>
      <jndi-name>x3_datasource</jndi-name>
      <connection-url>jdbc:oracle:thin:@(description=(address=(host=myhost)(protocol=tcp)(port=1521))(connect_data=(SERVICE_NAME=mySid)))</connection-url>
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      <user-name>x3</user-name>
      xxxxx
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      </local-tx-datasource>
      <local-tx-datasource>
      <jndi-name>x4_datasource</jndi-name>
      <connection-url>jdbc:oracle:thin:@(description=(address=(host=myHost)(protocol=tcp)(port=1521))(connect_data=(SERVICE_NAME=mySid)))</connection-url>
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      <user-name>x4</user-name>
      xxxxx
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      </local-tx-datasource>



      in login-config.xml i have set up application-policies:

      <application-policy name = "xx1">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name="dsJndiName">java:/x1_datasource</module-option>
      <module-option name="principalsQuery">select wachtwoord from gebruikers where upper (key_gebruiker) = upper (?)</module-option>
      <module-option name="rolesQuery">select key_rol, 'Roles' from gebruikers_rollen, gebruikers where upper (key_gebruiker) = upper (?) and gebruikers.id_gebruiker = gebruikers_rollen.id_gebruiker</module-option>
      </login-module>

      </application-policy>

      four times (for every realm one)

      every jboss-web.xml shows as follows, only the jndi call is different (pointing to one of the above datasources)

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <context-root>/xxroot</context-root>
      <security-domain>java:/jaas/xx1</security-domain>
      <resource-ref>
      <res-ref-name>jdbc/x1_datasource</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <jndi-name>java:/x1_datasource</jndi-name>
      </resource-ref>
      </jboss-web>

      and in the web.xml: (only the auth/datasource part showing here)

      <resource-ref>
      Datasource for x1
      <res-ref-name>jdbc/x1_datasource</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <res-auth>Container</res-auth>
      </resource-ref>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      Declarative security tests
      <url-pattern>/restricted/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>role1</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>GUARANTEED</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>xx1</realm-name>
      </login-config>

      Now why doesn't it work in 3.2.4 anymore????

      Funny thing is, the first realm to do authentication will succeed after starting the server, every next realm will fail.

      Please help

        • 1. Re: cannot get multiple realms to work with 3.2 (works well
          starksm64

          Without the details of what each domain is doing there is insufficient information here. Described the complete call sequence that is failing along with the stacktrace of the failed call. Every call coming into the web container needs to establish its security context either by being a secured web page or doing a jaas login.

          • 2. Re: cannot get multiple realms to work with 3.2 (works well
            eelco69

            okay,

            We host four websites in different realms, which all do a DatabaseLoginModule login. I have configured 4 datasources, which all use a different schema within the same oracle 9.2 instance.

            In JBoss 3.07 production, this works perfectly. In the 3.2 version, I do not get any errors, only the first realm to login 'wins', and the others won't be able to login anymore.

            I was kind of hoping that configuration has changed with the new version. I know datasource configuration has changed, does it have anything to do with the JNDI bindings? In the former version, I had to configure in the datasource file the mbean ManagedConnectionPooleach time a different "name" for it to work.

            <depends optional-attribute-name="ManagedConnectionPool">
            <!--embedded mbean-->


            In every datasource-service.xml, i have to change the name=OracleDS to a different name (DS1, DS2 etc).

            In the new oracle-ds.xml, that is not possible anymore, so I figure it is not necessary either. Or am I wrong, hopefully!!!

            • 3. Re: cannot get multiple realms to work with 3.2 (works well
              eelco69

              In addition: I don't get any errors, just my page won't show the right things because the principal is null..

              • 4. Re: cannot get multiple realms to work with 3.2 (works well
                starksm64

                This still is not telling me much. Why should the principal not be null, is there a security-constraint enforcing this? If there is not, you have to track the user in the session as there is no definition of how a principal propagates from secured to unsecured content. The only time request.getUserPrinicipal is guarenteed to return non-null is on secured content.

                • 5. Re: cannot get multiple realms to work with 3.2 (works well
                  eelco69

                  It is all restricted content. The whole website contains confidential information:
                  <security-constraint>
                  <web-resource-collection>
                  <web-resource-name>Restricted</web-resource-name>
                  Declarative security tests
                  <url-pattern>/restricted/*</url-pattern>
                  <http-method>HEAD</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
                  <http-method>DELETE</http-method>
                  </web-resource-collection>
                  <auth-constraint>
                  <role-name>role1</role-name>
                  </auth-constraint>
                  <user-data-constraint>
                  no description
                  <transport-guarantee>GUARANTEED</transport-guarantee>
                  </user-data-constraint>
                  </security-constraint>

                  It looks like it has something to do with datasource JNDI binding, as if the first datasource is the only one to get a user. It does login correctly, but after that the page just shows the elements that are not user-dependent.

                  For example, I have a menu. I have struts in conjunction with XML/XSL setup. So the controller struts processor executes by passing the request form (action form) to a class which retrieves XML from businessobjects. So the menu page loads by getting user, and depending on the user giving back xml:

                  if (_user.shouldChangePassword()) {
                   buffer
                   .append(" <menugroup id=\"personal\" menutitle=\"Personal site\">\n")
                   .append(" <menuitem>\n")
                   .append(" <item_id>login</item_id>\n")
                   .append(" <do_auto>true</do_auto>\n")
                   .append(" <menu_id>menu1</menu_id>\n")
                   .append(" <menu_action>move('userdata.do');</menu_action>\n")
                   .append(" <menutitel>")
                   .append("Inloggegevens")
                   .append("</menutitel>\n")
                   .append(" <menuevent>move('userdata.do');</menuevent>\n")
                   .append(" </menuitem>\n")
                   .append(" </menugroup>\n")
                   .append("\n");
                   } else {


                  etc.

                  The menupage also has an xsl, and the action transforms the xml to html using this xsl. The page the is written to the response. In the case of jboss 3.07, alls well. In the case of 3.2.x, first realm to login is well, even multiple users on that realm get their own menus perfectly.

                  However, loggin in to a second realm (different customer) the menu just shows the stuff that is not user-dependent.

                  All is https...