6 Replies Latest reply on Jun 29, 2004 3:47 AM by snavjot

    Access to the requested resource has been denied - WHY??

    snavjot Jun 26, 2004 7:36 AM

      Hi,

      I am using Jboss 3.2.3 + tomcat 4.1.29. I configured jboss for JAAS and modified my application to work with JAAS.

      When i access AddToCart, Jboss challenges for LOGIN, i fill in username password. It throws the following error then.
      It clearly shows that navis/navis is getting authenticated but something bad is happening later. may be something to do with roles. Can somebidy show some direction please???

      TIA
      Navjot Singh


      Snippet from server.log - pls notice last few lines of this log.
      =======================================

      [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
      [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/SmailDS
      [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=select passwd from CustomerLogin where custCode=?
      [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=select role, role from CustomerLogin where custCode=?
      [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] subject: null
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] getManagedConnection returning unassociated connection
      TRACE [org.jboss.resource.connectionmanager.JBossManagedConnectionPool] supplying ManagedConnection from pool: org.jboss.resource.adapter.jdbc.local.LocalManagedConnection@78ae82
      TRACE [org.jboss.resource.connectionmanager.JBossManagedConnectionPool] Getting connection from pool [InUse/Available/Max]: [1/1/20]
      TRACE [org.jboss.resource.connectionmanager.CachedConnectionManager] registering connection from org.jboss.resource.connectionmanager.TxConnectionManager@174e4b3, connection : org.jboss.resource.adapter.jdbc.WrappedConnection@11970e2, key: null
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] connectionClosed called
      TRACE [org.jboss.resource.connectionmanager.CachedConnectionManager] unregistering connection from org.jboss.resource.connectionmanager.TxConnectionManager@174e4b3, object: org.jboss.resource.adapter.jdbc.WrappedConnection@11970e2, key: null
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] unregisterConnection: 0 handles left
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] delisting currenttx: null, ManagedConnection: org.jboss.resource.adapter.jdbc.local.LocalManagedConnection@78ae82
      TRACE [org.jboss.resource.connectionmanager.JBossManagedConnectionPool] putting ManagedConnection back into pool
      TRACE [org.jboss.resource.connectionmanager.JBossManagedConnectionPool] Returning connection to pool [InUse/Available/Max]: [0/1/20]
      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'navis' authenticated, loginOk=true
      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] subject: null
      TRACE [org.jboss.resource.connectionmanager.TxConnectionManager] getManagedConnection returning unassociated connection

      [org.jboss.security.plugins.JaasSecurityManager.ShopexAuth] updateCache, subject=Subject:
      Principal: navis
      Principal: USER(members:USER)

      [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: navis is authenticated
      [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=navis
      [org.jboss.web.localhost.Engine] Authenticator[/shopex]: Authentication of 'navis' was successful
      [org.jboss.web.localhost.Engine] Authenticator[/shopex]: Redirecting to original '/shopex/AddToCart.do?PROD_CODE=BM'
      [org.jboss.web.localhost.Engine] Authenticator[/shopex]: Failed authenticate() test
      [org.jboss.web.localhost.Engine] StandardContext[/shopex]: Mapping contextPath='/shopex' with requestURI='/shopex/AddToCart.do' and relativeURI='/AddToCart.do'

      web.xml
      =====

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>USER Restricted</web-resource-name>
      Declarative USER restriction
      <url-pattern>/AddToCart.do</url-pattern>
      <http-method>GET</http-method>
      </web-resource-collection>
      <web-resource-collection>

      <auth-constraint>
      <role-name>USER</role-name>
      </auth-constraint>

      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Default</realm-name>
      <form-login-config>
      <form-login-page>/jsp/signin.jsp</form-login-page>
      <form-error-page>/jsp/badlogin.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      A user allowed to buy items and place order
      <role-name>USER</role-name>
      </security-role>


      jboss login-config.xml
      ==============
      <application-policy name="ShopexAuth">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName">java:/SmailDS</module-option>
      <module-option name="principalsQuery">select passwd from CustomerLogin where custCode=?</module-option>
      <module-option name="rolesQuery">select role, role from CustomerLogin where custCode=?</module-option>
      </login-module>

      </application-policy>

      CustomerLogin
      =========
      custCode | passwd | role
      -----------------------------
      navis | navis | USER


      • 9239 Views
      • Tags:
        • 1. Re: Access to the requested resource has been denied - WHY??
          snavjot Jun 26, 2004 8:30 AM (in response to snavjot)

          hi,

          i just made it work. Just replaced

          <module-option name="rolesQuery">
          select role, role from CustomerLogin where custCode=?
          </module-option>

          WITH

          <module-option name="rolesQuery">
          select role, "Roles" from CustomerLogin where custCode=?
          </module-option>


          and it worked. I peeped into the jbossdx.jar code and found that "Roles" was hard coded there. WHY?

          Navjot Singh

            • Actions
          • 2. Re: Access to the requested resource has been denied - WHY??
            genman
            genman Jun 26, 2004 12:06 PM (in response to snavjot)


            Sounds like a bug. If you can create a coherent bug report, please file it on the Sourceforge web site.

            Thanks.

              • Actions
            • 3. Re: Access to the requested resource has been denied - WHY??
              cbrettin
              cbrettin Jun 27, 2004 7:50 PM (in response to snavjot)

              Actually it isn't really a bug: JBoss encodes role principals in a "Roles" principal group, this is why you specify the "Roles" literal - it is the group that the principals are being added to.

              If you are using a properties file for roles you don't notice this as the default group of "Roles" is assigned if the group is not specified.

              so,
              username=role1,role2
              and
              username.Roles=role1,role2
              are the same.

              So actually is is more a surplus of configurability than a lack that is causing the confusion. That the roles principal group name is hard coded to "Roles" isn't really that much of an imposition, considering that the grouping allows applicaiton specific principal groups to be added without interfereing with JBoss role authorisation.

                • Actions
              • 4. Re: Access to the requested resource has been denied - WHY??
                snavjot Jun 28, 2004 5:50 AM (in response to snavjot)

                then i guess the rolesQuery should be contrained to
                **select role from UserRoles where...**

                why even ask for rolesgroup column when it HAS TO be "Roles"?

                navjot

                  • Actions
                • 5. Re: Access to the requested resource has been denied - WHY??
                  cbrettin
                  cbrettin Jun 28, 2004 9:42 PM (in response to snavjot)

                   

                  "snavjot" wrote:


                  <module-option name="rolesQuery">
                  select role, "Roles" from CustomerLogin where custCode=?
                  </module-option>




                  The roles query returns two columns the first one containing the Role name and the second the Role Group that this role is being added to.

                  The default role group is called "Roles" and is the one used for normal EE role based security - if the role group is null or empty the default group will be used, so you could have used:

                  select role, "" from CustomerLogin where custCode=?
                  or
                  select role, NULL from CustomerLogin where custCode=?

                  with the same effect.

                  If you where using an application with role groups other than the default then you would need to use this feature; normally, as you have discovered, it is just disabled by providing the default as a constant column in the query.

                  So groups with names other than "Roles" do exist (and are loaded and attached to the Subject), but they are not used for the simple roles based security you are using.



                    • Actions
                  • 6. Re: Access to the requested resource has been denied - WHY??
                    snavjot Jun 29, 2004 3:47 AM (in response to snavjot)

                    now, the picture is much clearer. Thanks to all whc shared the veiws with me.

                    Navjot Singh

                      • Actions