11 Replies Latest reply on Jul 21, 2004 8:37 AM by osf_lover

    ssl in jboss 3.2.5 is broken

    osf_lover

      Hi,

      I got a webapp which uses LDAP server for authentication. All work fine under Jboss 3.2.3 and 3.2.4 but NOT in jboss 3.2.5.

      I get following error in Jboss 3.2.5, what has changed in jboss 3.2.5? I did check the change notes for jboss 3.2.5 but couldn't find anything.

      2004-07-06 12:18:05,055 INFO [STDOUT] com.xxx.gds.gdscache.NameNotFoundException: Filter [uid=Identity] does not identify an entry in the GDS
      2004-07-06 12:18:05,055 INFO [STDOUT] at com.xxx.gds.security.GdsEntryImpl.(GdsEntryImpl.java:74)
      2004-07-06 12:18:05,055 INFO [STDOUT] at com.xxx.gds.security.GdsUserImpl.(GdsUserImpl.java:69)
      2004-07-06 12:18:05,055 INFO [STDOUT] at com.xxx.gds.test.TestServlet.service(TestServlet.java:149)
      2004-07-06 12:18:05,071 INFO [STDOUT] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      2004-07-06 12:18:05,118 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
      2004-07-06 12:18:05,118 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
      2004-07-06 12:18:05,118 INFO [STDOUT] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
      2004-07-06 12:18:05,118 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      2004-07-06 12:18:05,118 INFO [STDOUT] at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      2004-07-06 12:18:05,164 INFO [STDOUT] at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
      2004-07-06 12:18:05,164 INFO [STDOUT] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
      2004-07-06 12:18:05,164 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      2004-07-06 12:18:05,180 INFO [STDOUT] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:72)
      2004-07-06 12:18:05,180 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      2004-07-06 12:18:05,227 INFO [STDOUT] at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:275)
      2004-07-06 12:18:05,227 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      2004-07-06 12:18:05,227 INFO [STDOUT] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
      2004-07-06 12:18:05,227 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      2004-07-06 12:18:05,227 INFO [STDOUT] at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      2004-07-06 12:18:05,274 INFO [STDOUT] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
      2004-07-06 12:18:05,289 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      2004-07-06 12:18:05,289 INFO [STDOUT] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
      2004-07-06 12:18:05,289 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      2004-07-06 12:18:05,289 INFO [STDOUT] at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      2004-07-06 12:18:05,336 INFO [STDOUT] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      2004-07-06 12:18:05,336 INFO [STDOUT] at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      2004-07-06 12:18:05,336 INFO [STDOUT] at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      2004-07-06 12:18:05,336 INFO [STDOUT] at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
      2004-07-06 12:18:05,352 INFO [STDOUT] at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
      2004-07-06 12:18:05,399 INFO [STDOUT] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
      2004-07-06 12:18:05,399 INFO [STDOUT] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
      2004-07-06 12:18:05,399 INFO [STDOUT] at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
      2004-07-06 12:18:05,399 INFO [STDOUT] at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
      2004-07-06 12:18:05,399 INFO [STDOUT] at java.lang.Thread.run(Thread.java:534)


      tia
      k

        • 1. Re: ssl in jboss 3.2.5 is broken
          triathlon98

          Looks like a problem in your code somewhere.

          Maybe a problem with DNS caching ? Note that the JVM caches DNS entries when not told otherwise.

          Joachim

          • 2. Re: ssl in jboss 3.2.5 is broken
            starksm64

            Explain how this exception relates to ssl.

            • 3. Re: ssl in jboss 3.2.5 is broken
              osf_lover

              Hi,

              If the problem is in my code, it would not work in jboss 3.2.3 or jboss 3.2.4. But my same code is working with Jboss 3.2.3 and jboss 3.2.4 but NOT with jboss 3.2.5. Which leads to the conclusion, something has changed in Jboss 3.2.5 in ssl/authentication layer.

              The exception shows invoking JBossSecurityMgrRealm Calling Filter [uid=Identity].

              May be in jboss 3.2.5, i should be getting the uid/user principal in different way than in Jboss 3.2.4??

              tia

              • 4. Re: ssl in jboss 3.2.5 is broken
                triathlon98

                Maybe JBoss does something "more correctly" than before. Tell what you are doing and how this differs from what happened before. Maybe even show your code.

                There is no way anybody can help with an Exception you defined being thrown in your code without saying what is happening!

                Joachim

                • 5. Re: ssl in jboss 3.2.5 is broken
                  osf_lover

                  Here is the code snippet/my test jsp page
                  ////////////////////////////////////////////
                  <%@ page import = "com.xxx.gds.security.*" %>
                  <%@ page import = "java.util.*" %>
                  <%@ page import = "java.lang.*" %>
                  <%@ page import = "javax.naming.*" %>
                  <%@ page import="org.jboss.security.*" %>

                  <%
                  GdsDAO dao = GdsDAO.getInstance();
                  GdsUser user = (GdsUser)session.getAttribute("user");
                  user = dao.getUserEntry(request.getUserPrincipal());
                  String fullName = user.getGivenName() + " " + user.getSN(); out.println("Welcome : " + user.getName() + ""); %>
                  /////////////////////////////////////////////////

                  The above jsp returns user id from the user certificate correctly in Jboss 3.2.4 but in Jboss 3.2.5 i get following exception

                  java.lang.NullPointerException
                  at org.apache.jsp.test1_jsp._jspService(test1_jsp.java:58)
                  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
                  at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324)
                  at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292)
                  at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
                  at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
                  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:72)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
                  at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:275)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
                  at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:417)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
                  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                  at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
                  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
                  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
                  at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
                  at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
                  at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
                  at java.lang.Thread.run(Thread.java:536)
                  -------------------------------

                  tia
                  k

                  • 6. Re: ssl in jboss 3.2.5 is broken
                    starksm64

                    Here is a trivial jsp page that shows a principal with secured with basic auth using both ssl and non-ssl connections:

                    <%@page import="java.io.*,javax.naming.*,
                     java.util.Date,
                     java.util.Enumeration,
                     javax.security.cert.X509Certificate" %>
                    <html>
                    <body bgcolor="white">
                    <h1> Session Info</h1>
                    SessionID: <%= session.getId() %><br>
                    CreationTime: <%= new Date(session.getCreationTime()) %><br>
                    LastAccessedTime: <%= new Date(session.getLastAccessedTime()) %><br>
                    <ul>
                    <%
                     Enumeration names = session.getAttributeNames();
                     while( names.hasMoreElements() )
                     {
                     String name = (String) names.nextElement();
                     out.print("<li>");
                     out.print(name);
                     out.print(" = ");
                     out.print(session.getAttribute(name));
                     out.println("</li>");
                     }
                     if( request.getScheme().equals("https") )
                     {
                     String cipherSuite;
                     X509Certificate certChain [];
                     cipherSuite = (String) request.getAttribute ("javax.servlet.request.cipher_suite");
                     certChain = (X509Certificate []) request.getAttribute ("javax.servlet.request.X509Certificate");
                     out.print("<li>javax.servlet.request.cipher_suite = ");
                     out.print(cipherSuite);
                     out.println("</li>");
                     out.print("<li>javax.servlet.request.X509Certificate = ");
                     out.print(certChain);
                     out.println("</li>");
                    
                     }%>
                    </ul>
                    
                    <h1> JNDI java:comp/env Context Info</h1>
                    <pre>
                    <%
                     if( initException != null )
                     out.println(initException);
                     else
                     out.println(jndiEnvCtxInfo);
                    %>
                    </pre>
                    <h1> Request Information </h1>
                    <font size="4">
                    JSP Request Method: <%= request.getMethod() %>
                    <br>
                    Request URL: <%= request.getRequestURL() %>
                    <br>
                    Request URI: <%= request.getRequestURI() %>
                    <br>
                    Request Protocol: <%= request.getProtocol() %>
                    <br>
                    Servlet path: <%= request.getServletPath() %>
                    <br>
                    Path info: <%= request.getPathInfo() %>
                    <br>
                    Path translated: <%= request.getPathTranslated() %>
                    <br>
                    Query string: <%= request.getQueryString() %>
                    <br>
                    Content length: <%= request.getContentLength() %>
                    <br>
                    Content type: <%= request.getContentType() %>
                    <br>
                    Server name: <%= request.getServerName() %>
                    <br>
                    Server port: <%= request.getServerPort() %>
                    <br>
                    UserPrincipal: <%= request.getUserPrincipal() %>
                    <br>
                    Remote user: <%= request.getRemoteUser() %>
                    <br>
                    Remote address: <%= request.getRemoteAddr() %>
                    <br>
                    Remote host: <%= request.getRemoteHost() %>
                    <br>
                    Authorization scheme: <%= request.getAuthType() %>
                    <br>
                    Is secure: <%= request.isSecure() %>
                    <br>
                    Locale: <%= request.getLocale() %>
                    <hr>
                    The browser you are using is <%= request.getHeader("User-Agent") %>
                    <hr>
                    </font>
                    </body>
                    </html>
                    
                    


                    Output without ssl:
                     Session Info
                    SessionID: 7D6B2FA8783C0B451C23319E990C393E
                    CreationTime: Wed Jul 07 13:15:27 PDT 2004
                    LastAccessedTime: Wed Jul 07 13:15:27 PDT 2004
                    
                    Request Information
                    JSP Request Method: GET
                    Request URL: http://localhost:8080/jmx-console/snoop.jsp
                    Request URI: /jmx-console/snoop.jsp
                    Request Protocol: HTTP/1.1
                    Servlet path: /snoop.jsp
                    Path info: null
                    Path translated: null
                    Query string: null
                    Content length: -1
                    Content type: null
                    Server name: localhost
                    Server port: 8080
                    UserPrincipal: admin
                    Remote user: admin
                    Remote address: 127.0.0.1
                    Remote host: 127.0.0.1
                    Authorization scheme: BASIC
                    Is secure: false
                    Locale: en_US
                    


                    Output with ssl:
                     Session Info
                    SessionID: 1AA806630E9DC97500C2D240066407EC
                    CreationTime: Wed Jul 07 13:01:34 PDT 2004
                    LastAccessedTime: Wed Jul 07 13:08:48 PDT 2004
                    
                     * javax.servlet.request.cipher_suite = TLS_DHE_RSA_WITH_AES_128_CBC_SHA
                     * javax.servlet.request.X509Certificate = null
                    
                    Request Information
                    JSP Request Method: GET
                    Request URL: https://localhost:8443/jmx-console/snoop.jsp
                    Request URI: /jmx-console/snoop.jsp
                    Request Protocol: HTTP/1.1
                    Servlet path: /snoop.jsp
                    Path info: null
                    Path translated: null
                    Query string: null
                    Content length: -1
                    Content type: null
                    Server name: localhost
                    Server port: 8443
                    UserPrincipal: admin
                    Remote user: admin
                    Remote address: 127.0.0.1
                    Remote host: 127.0.0.1
                    Authorization scheme: BASIC
                    Is secure: true
                    Locale: en_US
                    



                    • 7. Re: ssl in jboss 3.2.5 is broken
                      osf_lover

                      Have tried your jsp code, but that also does not work for me.

                      Do i need to modify something in login-config.xml ? I have added following bits to the default login-config.xml

                      <!-- GDS Login Module -->

                      <login-module code = "com.xxx.gds.jaas.GdsJBossLoginModule" flag = "required">
                      <module-option name = "filename">server/default/conf/gdsrealm.properties</module-option>
                      <module-option name = "debug">true</module-option>
                      </login-module>



                      Above modification in login-config.xml works fine in jboss3.2.4.

                      tia
                      k

                      • 8. Re: ssl in jboss 3.2.5 is broken
                        starksm64

                        You'll have to debug your custom GdsJBossLoginModule. There were some refactorings in the login module layer to support x509 cert based login modules so look into whether this broke your login module.

                        • 9. Re: ssl in jboss 3.2.5 is broken
                          osf_lover

                          Infact its not refactoring. One of the class has changed!

                          In jbosssx.jar, AbstractServerLoginModule.java class, CreateGroup method returns SimpleGroup if it didn't find one instead of NestableGroup.

                          The change between AbstractServerLoginModule.java is

                          284c284
                          < roles = new NestableGroup(name); // in Jboss 324
                          ---
                          > roles = new SimpleGroup(name); // in jboss 325


                          What's the reasoning behind this?

                          tia
                          k

                          • 10. Re: ssl in jboss 3.2.5 is broken
                            starksm64

                            As stated in the release notes:

                            Change the behavior of the base createGroup to use a SimpleGroup rather than a NestedGroup as the latter precludes the ability to combine roles across login modules. If that is the desired behavior the subclass would create its own NestedGroup instance.

                            How does this affect you?

                            • 11. Re: ssl in jboss 3.2.5 is broken
                              osf_lover

                              sorry to get back to you so late.

                              In jboss 325, request.getUserPrincipal() returns "Identity(members:user1) " instead of user1. That's the reason my CustomRealm code failing to look for the user details.

                              Now my questions are
                              1) request.getUserPrincipal should return user1 instead of " Identity (members:user1) ", isn't it?
                              2) What's the best way to get user1 out of request.getUserPrincipal() ?

                              tia
                              krishna