3 Replies Latest reply on Jun 15, 2004 9:54 AM by starksm64

Configuring a non trusted datasource

jeeads Jun 3, 2004 10:51 AM

I am trying to connect to a non-trusted datasource. I have created a com.synapps.jmx.jaas.srp.MetaDataIdentityLoginModule login module to load the username and password dependent on the auth type of the given datasource. This module was created using org.jboss.resource.security.CallerIdentityLoginModule as a modle. All the information about the remote datasource is found in my MetaData database including auth type. The deployment descriptors, configuration xml and error log are attached. When I start JBoss 3.2.3 the entity beans deploy correctly but when org.jboss.ejb.plugins.EntityInstancePool starts a connection to the datasource for the beans fails. I expect the failures since no one is logged in at the time. How should I configure this non-trusted connection so that a connection is attemted only if someone is logged in and only if there is not a connection in the connection pool? I have all of the documentation and I can't find this information.

META_INF entity bean jar

jboss.xml

< ?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 3.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_3_0.dtd">
< jboss>
< security-domain>java:/jaas/MSSQLServer2000SequencherSecurityRealm</security-domain >
< unauthenticated-principal>Anonymous</unauthenticated-principal >
< enterprise-beans>

jbosscmp-jdbc.xml

< ?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE jbosscmp-jdbc PUBLIC "-//JBoss//DTD JBOSSCMP-JDBC 3.2//EN" "http://www.jboss.org/j2ee/dtd/jbosscmp-jdbc_3_2.dtd">
< jbosscmp-jdbc>
< defaults>
< datasource>java:/MSSQLServer2000Sequencher
< datasource-mapping>MS SQLSERVER2000</datasource-mapping >
< create-table>false</create-table >
< remove-table>false</remove-table >
< read-only>false</read-only >
< read-time-out>300</read-time-out >
< row-locking>false</row-locking >
< pk-constraint>true</pk-constraint >
< fk-constraint>false</fk-constraint >
< preferred-relation-mapping>foreign-key</preferred-relation-mapping >
< read-ahead>
< strategy>on-load
< page-size>1000</page-size >
< eager-load-group>*</eager-load-group >
</read-ahead >
< list-cache-max>1000</list-cache-max >

Server configuration files

login-config.xml

< application-policy name="MSSQLServer2000SequencherSecurityRealm">
< authentication>
< login-module code="com.synapps.jmx.jaas.srp.MetaDataIdentityLoginModule" flag="required">
< module-option name="dsJndiName">java:/MSSQLServer2000MetaData</module-option >
< module-option name="dsName">MSSQLServer2000Sequencher</module-option >
< module-option name="connTypeQuery">SELECT ConnAuthType FROM DataStore WHERE Name=?</module-option >
< module-option name="defaultUserPasswdQuery">SELECT DataStore.DefaultConnUser, Password.password FROM DataStore,Password WHERE DataStore.Name=? AND Password.ID = DataStore.DefaultConnPWID</module-option >
< module-option name="userUserPasswdQuery">SELECT User_DataStore.UserConnUserID, Password.password, FROM DataStore,User_DataStore, Password WHERE DataStore.Name=? AND Password.ID = User_DataStore.UserConnPWID AND User_DataStore.DataStoreID = DataStore.ID and User_DataStore.UserID=?</module-option >
< module-option name="activityLogging">INSERT INTO ActivityLog VALUES(?,?,?,?,?,?,?,?,?,?)</module-option >
< module-option name="password-stacking">useFirstPass</module-option >
</login-module >

</application-policy >

sequencher-mssql-ds.xml

< ?xml version="1.0" encoding="UTF-8"?>

< !-- ===================================================================== -->
< !-- -->
< !-- JBoss Server Configuration -->
< !-- -->
< !-- ===================================================================== -->

< !-- $Id: sequencher-mssql-ds.xml,v 1.1 2004/05/18 18:500:16 mike Exp $ -->

< !-- ======================================================================-->
< !-- New ConnectionManager setup for Microsoft SQL Server 2000 driver -->
< !-- You may download the latest Microsoft JDBC driver from *Microsoft* -->
< !-- http://msdn.microsoft.com/downloads/default.asp?url=/downloads/sample.asp?url=/MSDN-FILES/027/001/779/msdncompositedoc.xml&frame=true -->
< !-- ===================================================================== -->

< datasources>

< local-tx-datasource>
< jndi-name>MSSQLServer2000Sequencher</jndi-name >
< connection-url>jdbc:microsoft:sqlserver://synapps-6:1433;DatabaseName=Sequencher;SelectMethod=cursor</connection-url >
< driver-class>com.microsoft.jdbc.sqlserver.SQLServerDriver</driver-class >
< !--<user-name>sa</user-name >
< password>synapps -- >
< !-- sql to call when connection is created -- >
< new-connection-sql>select count(*) from Users</new-connection-sql >
< !-- sql to call on an existing pooled connection when it is obtained from pool -- >
< check-valid-connection-sql>select count(*) from Users</check-valid-connection-sql >
< !-- Use the security domain defined in conf/login-config.xml -- >
< security-domain>MSSQLServer2000SequencherSecurityRealm</security-domain >
</local-tx-datasource >

server.log

2004-06-02 15:32:31,593 INFO [org.jboss.ejb.EjbModule] Deploying MSSQLServer2000Sequencher_VectorSite
2004-06-02 15:32:31,625 INFO [org.jboss.ejb.EjbModule] Deploying MSSQLServer2000Sequencher_WorkingSequence
2004-06-02 15:32:31,656 INFO [org.jboss.ejb.EjbModule] Deploying MSSQLServer2000Sequencher_EntityBeanTest
2004-06-02 15:32:33,484 ERROR [org.jboss.ejb.EntityContainer] Starting failed
java.lang.SecurityException: Invalid authentication attempt, principal=null
at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:647)
at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:476)
at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:814)
at org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:102)
at org.jboss.ejb.plugins.cmp.jdbc.SQLUtil.fixTableName(SQLUtil.java:118)
at org.jboss.ejb.plugins.cmp.jdbc.bridge.JDBCEntityBridge.init(JDBCEntityBridge.java:147)
at org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager.initStoreManager(JDBCStoreManager.java:420)
at org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager.start(JDBCStoreManager.java:357)
at org.jboss.ejb.plugins.CMPPersistenceManager.start(CMPPersistenceManager.java:152)
at org.jboss.ejb.EntityContainer.startService(EntityContainer.java:342)
at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:192)
at sun.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:976)
at $Proxy15.start(Unknown Source)

1. Re: Configuring a non trusted datasource

starksm64 Jun 7, 2004 12:06 PM (in response to jeeads)

This is a connection attempt initiated from a non-user thread in the entity container startup and so has no identity. There has to be some support for connecting as an unauthenticated user to query for database metadata, etc. by system threads in the login module.
Actions
2. Re: Configuring a non trusted datasource

jeeads Jun 10, 2004 11:19 AM (in response to jeeads)

Scott,
Like surfing the net, asking the question is the biggest part of getting the right answer. Let me layout what I am trying to achieve. I have a data federation system that is driven by the JBoss container. My system consists of a database registration process that uses XML and XSLT to transform the XML database schema produced by Dr. Lauxs' modified
dbaccessor package into entity beans, interfaces, deployment descriptors, session test bean and a test client. The logical ontology or logical vocabulary is mapped to the federated databases via vocabulary descriptors, XML, mapping descriptors, XML, the entity bean interfaces and XSLT transformation, which produce session beans used at the session facade level. I have moved the business delagate level to span the network boundary between the client and app sever so I can achieve a generic interface. One of the design goals was to have a static footprint for the api. The system can accomodate many different business domains. Now to the question: I have a metadata database that is used to configure the system, it handles user validation at the app server level, datasources available, acitivity logging, site parameters, remote datasource authentication, remote datasource connection information etc. When logging onto the system the client goes through SRP to authenticate and authorize at the app server. Once authorized onto the app server the client can access any of the federated datasources to which he has access. To access a federated datasource I have written a login module that will determine the connection information and the authentication type from the metadata database and set the username and password to the configured username and password for the authentication type specified for the datasource. Is this how I should be doing this? Since I am already logged into the app server when I try to run this login module through a security realm setup for the specific datasource I get a security authorization error? How can I dynamically retrieve and use the configured information for the given datasource when an entity or session bean that has been setup for this security realm is accessed, if it is not already pooled? Does JBoss handle this type of dynamic connection for datasources? Is there an example anywhere? Have I just missed the point totally?

Thanks
Jerry
Actions
3. Re: Configuring a non trusted datasource

starksm64 Jun 15, 2004 9:54 AM (in response to jeeads)

This is not much clearer. There is really no such thing as 'logged into the app server'. A thread either has a security context or it does not. There are many threads, not all of which are tied to user initiated activity. When a thread attempts to access a datasource its security context is checked. The problem with the access shown generating exception is that there is no caller identity to use because this is a server thread initializing the cmp layer, and there is no logged in identity.
Actions

Go to original post